[Snort-sigs] Count TCP requeriments to server.

Guillermo Morales guillermomoralesp at ...2420...
Wed Apr 21 14:42:58 EDT 2010


This last rule: 

alert tcp any any -> $SERVER_B any (msg:"Established connection to Server B
detected"; flow:established,to_server; flowbits:isnotset,serverBconnection;
flowbits:set,serverBconnection;sid:313370000; rev:2;)

means: 

The first established connection packet: check if it is not tagged with
"serverBconnection", if it isnt, set = "serverBconnection" and alert.
Next packet tagged discard. Rigth?





-----Mensaje original-----
De: L0rd Ch0de1m0rt [mailto:l0rdch0de1m0rt at ...2420...] 
Enviado el: Miércoles, 21 de Abril de 2010 7:56
Para: Guillermo Morales
CC: snort-sigs at lists.sourceforge.net
Asunto: Re: [Snort-sigs] Count TCP requeriments to server.

Hello.  While not super efficient, you could detect TCP SYN packets to
the server.  Of course, this doesn't mean a full connection has been
made, just a request for a connection.  Something like:

alert tcp any any -> $SERVER_B any (msg:"Connection to Server B
attempted"; flags:S; sid:313370000; rev:1;)

Depending on where the server sits and possible firewall rules in
front of it, this could lead to a lot of false positives from things
like scanners.  So instead of the above, you could detect the SYN/ACK
from the server (the second part of the TCP three way handshake).
This would only only alert on connection attempts to valid (listening)
services:

alert tcp $SERVER_B any -> any any (msg:"Connection to Server B
accepted"; flags:S,A; sid:313370001; rev:1;)

There are also other, also inefficient ways.  What about this magic:

alert tcp any any -> $SERVER_B any (msg:"Established connection to
Server B detected"; flow:established,to_server;
flowbits:isnotset,serverBconnection;  flowbits:set,serverBconnection;
sid:313370000; rev:2;)

Hope this helps.

Cheers.

-L0rd Ch0de1m0rt

On Tue, Apr 20, 2010 at 7:46 PM, Guillermo Morales
<guillermomoralesp at ...2420...> wrote:
> Hi everybody.
> I trying to create a local rule to count how clients (A) establish
> connection to a server (B). But, after established connection, stop count
> and wait for a new connection from same client o diferent client.
>
> I trying to make it with flags but u cant do it.
>
>
----------------------------------------------------------------------------
--
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>





More information about the Snort-sigs mailing list