[Snort-sigs] Snort rules question.

Matt Kettler mkettler at ...189...
Wed Aug 18 14:52:00 EDT 2004

At 03:09 PM 8/18/2004, wbenetti at ...2738... wrote:
>         I would like to write a snort rule that alarms on a TCP segment
>that doesn't correspond to any established TCP session.  I would also like
>to take TCP SYNs out of consideration for this rule, since some of them
>would be caught by a rule that does this.
>         To clarify: I occasionally see frames destined to a client machine
>that have the proper seq/ack numbers and sockets, but the source address
>is different than the IP address of the server that is servicing the
>request.  I believe that this is a bug in a hardware vendor, but I'd like
>to write a rule to keep an eye on things.  Is this something that snort
>can detect?

use the detect_state_problems option to the stream4 preprocessor.. no need 
to write a rule.

Other alternatives include using nearly any stateful firewall, such as 
ipTables, and having a "last rule" which denies and logs all packets that 
were not accepted as a part of open state sessions elsewhere. Cisco PIX 
firewalls also log this kind of out-of-state packet if you have your log 
level low enough.

However, be aware that there are a LOT of completely broken tcp stacks out 
there, so you will generate a lot of log traffic this way.

More information about the Snort-sigs mailing list