[Snort-sigs] Snort rules question.
mkettler at ...189...
Wed Aug 18 14:52:00 EDT 2004
At 03:09 PM 8/18/2004, wbenetti at ...2738... wrote:
> I would like to write a snort rule that alarms on a TCP segment
>that doesn't correspond to any established TCP session. I would also like
>to take TCP SYNs out of consideration for this rule, since some of them
>would be caught by a rule that does this.
> To clarify: I occasionally see frames destined to a client machine
>that have the proper seq/ack numbers and sockets, but the source address
>is different than the IP address of the server that is servicing the
>request. I believe that this is a bug in a hardware vendor, but I'd like
>to write a rule to keep an eye on things. Is this something that snort
use the detect_state_problems option to the stream4 preprocessor.. no need
to write a rule.
Other alternatives include using nearly any stateful firewall, such as
ipTables, and having a "last rule" which denies and logs all packets that
were not accepted as a part of open state sessions elsewhere. Cisco PIX
firewalls also log this kind of out-of-state packet if you have your log
level low enough.
However, be aware that there are a LOT of completely broken tcp stacks out
there, so you will generate a lot of log traffic this way.
More information about the Snort-sigs