I'm having trouble reading a rule. Specifically, where is a flowbits GROUP_NAME defined?
I was reviewing my squert screens from securityonion and noticed the following:
3618 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12
The SID for this is 2017936
The rule is:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12"; flow:to_server,established; flowbits:isset,ET.gh0stFmly; content:"|78 9c|"; depth:2; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&;ThreatID=-2147325231; reference:md5,3b1abb60bafbab204aeddf8acdf58ac9; classtype:trojan-activity; sid:2017936; rev:4;)
However, I cannot grep any string "ET.gh0stFmly" in /etc or in /nsm other than in the downloaded.rules.
Further reviewing the 'flowbits' idea, I think my problem lies in a fairly basic misunderstanding of what 'flowbits' are.
Are flowbits 'created' on-the-fly for a given rule as it were? Or are they globally predefined somewhere? If so, where?
For example, given rule:
alert tcp any 143 -> any any (msg:"IMAP login"; content:"OK LOGIN"; flowbits:set,logged_in)
is the flowbit 'logged_in' created and then set? Or is the flowbit 'logged_in' predefined and the flowbit snippet is just setting it? If 'logged_in' is predefined, then where is that done?
As a followup on the flowbit GROUP_NAME parameter, assuming that flowbits are dynamically created, then is the GROUP_NAME a way of 'grouping' related flowbits? If so, can the same flowbit name be used in different GROUP_NAMEs?
So, back to my problem with SID: 2017936. In the flowbit snippet "flowbits:isset,ET.gh0stFmly", is the 'ET.gh0stFmly' the flowbit name? Or is it a GROUP_NAME?
I hope this is clear, if not I'll be happy to clarify.
thx