[Snort-sigs] Count TCP requeriments to server.

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Wed Apr 21 08:56:09 EDT 2010

Hello.  While not super efficient, you could detect TCP SYN packets to
the server.  Of course, this doesn't mean a full connection has been
made, just a request for a connection.  Something like:

alert tcp any any -> $SERVER_B any (msg:"Connection to Server B
attempted"; flags:S; sid:313370000; rev:1;)

Depending on where the server sits and possible firewall rules in
front of it, this could lead to a lot of false positives from things
like scanners.  So instead of the above, you could detect the SYN/ACK
from the server (the second part of the TCP three way handshake).
This would only only alert on connection attempts to valid (listening)

alert tcp $SERVER_B any -> any any (msg:"Connection to Server B
accepted"; flags:S,A; sid:313370001; rev:1;)

There are also other, also inefficient ways.  What about this magic:

alert tcp any any -> $SERVER_B any (msg:"Established connection to
Server B detected"; flow:established,to_server;
flowbits:isnotset,serverBconnection;  flowbits:set,serverBconnection;
sid:313370000; rev:2;)

Hope this helps.


-L0rd Ch0de1m0rt

On Tue, Apr 20, 2010 at 7:46 PM, Guillermo Morales
<guillermomoralesp at ...2420...> wrote:
> Hi everybody.
> I trying to create a local rule to count how clients (A) establish
> connection to a server (B). But, after established connection, stop count
> and wait for a new connection from same client o diferent client.
> I trying to make it with flags but u cant do it.
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list