If you’re a web developer, the foundation of your technology stack is the Web and the myriad of networking protocols it rides on: TCP, TLS, UDP, HTTP, and many others. Each of these protocols has its own performance characteristics and optimizations, and to build high performance applications you need to understand why the network behaves the way it does.
If you want to create Snort rules that check multiple packets of a TCP session, you need the flowbits option. It allows you to add „tags“ to a TCP stream. If another packet of that stream arrives, other rules can filter for those tags.
Snort Documentation http://manual.snort.org/node470.html:
It allows rules to track states during a transport protocol session.
Imagine you want to check site accesses in a specific folder on your webserver and would like to receive an alert if a site was not found (had 404 error).
So you need to check the HTTP request from the client to filter for the specific folder, and you need to check the server response to know the HTTP status code.
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"File Access"; pcre:"/GET \/specific_folder\/.*/i"; flowbits:set,specific_folder_access; flowbits:noalert; sid:100000;)
Here you define the first rule that checks the HTTP request. If the access goes into the specific_folder, the flowbit (tag) „specific_folder_access“ will be set. This tag allows us to identify packets that meet this criteria in the second rule. „flowbits:noalert;“ means that – although this rule fired – no alert will be triggered.
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"Site in specific_folder not found"; content:"404"; http_stat_code; flowbits:isset,specific_folder_access; sid:100001;)
In the second rule, we require the packet to be part of a TCP stream tagged with the flowbit „specific_folder_access“. If so, and if the status code is 404, an alert is triggered.
You can even set multiple tags and compose multiple rules to filter complex behavior. See manual.snort.org for more information.