[Snort-devel] "Closed" Ports

Simon Hradecky shradecky at ...2054...
Tue Jul 1 00:42:09 EDT 2003


Hello,

I'd like to see a possibility in SNORT, where every attempt to send a 
packet to a socket, that is not listening, can be logged and alerted.

I am aware that currently this is being done by watching for the network 
response (on TCP connections watching for a R A packet, on UDP for the 
ping reply). However, when the machine is running stealth mode no reply is 
sent at all and the attempt is missed - there are other scenarios as well, 
like "half open" scans and the like, where a connection is neither 
established nor denied and therefore the packet doesn't get caught by 
snort.

Checking netstat it should be rather easy to determine whether a port, a 
packet has been sent to, is open or not, or whether a packet arriving 
belongs to an active connection (currently already done as I understand 
snort).

Then I'd like to have a keyword (e.g. CLOSED) for the rules like the SEQ 
filter, so that a rule like:

alert tcp any any -> $HOME_NET any (closed;...)

or perhaps

alert tcp any any -> $HOME_NET closed (...)

would alert on all packets, that do not belong to an active connection and 
that arrive on sockets that are currently not in listening state.

The background of that request: I am running a hardware firewall in my 
network, which generates a lot of reports for rejected netbios attempts 
and access attempts to trojan ports against the LAN IP address. Obviously 
however the firewall must not filter these packets going to the servers on 
the DMZ (the server might use one of those sockets dynamically for a 
connection) and therefore does not log those packets, so those packets 
should be detected on the servers only - yet snort with standard rules 
doesn't come up with any netbios or trojan alert or the like, although I 
am sure, that all our IP addresses have been scanned the same way (the 
vast majority of these scans are half open scans, which do not trigger 
snort).

At the moment I could write rules like:

alert udp any any -> $HOME_NET 137 (...)

to catch those things, but that becomes an extremely long list and bears 
the same risk of raising alerts on valid connections, should the server 
use such a port dynamically. And that list would need to be reworked every 
time a service is being activated or deactivated on the server.

Simon








More information about the Snort-devel mailing list