[Snort-sigs] Count TCP requeriments to server.
l0rdch0de1m0rt at ...2420...
Wed Apr 21 14:46:31 EDT 2010
Hello. Yes, you are correct. Subsequent packets will not alert this
rule since it will only alert if serverBconnection is not set and the
first time a packet is detected from an established connection, an
alert does happen and the serverBconnection flag is set using
'flowbits:set,serverBconnection;'. I haven't tested it but I think it
will work. Of course you will also need to have the $SERVER_B
variable set correctly or tweak the variable name as necessary for
On Wed, Apr 21, 2010 at 1:42 PM, Guillermo Morales
<guillermomoralesp at ...2420...> wrote:
> This last rule:
> alert tcp any any -> $SERVER_B any (msg:"Established connection to Server B
> detected"; flow:established,to_server; flowbits:isnotset,serverBconnection;
> flowbits:set,serverBconnection;sid:313370000; rev:2;)
> The first established connection packet: check if it is not tagged with
> "serverBconnection", if it isnt, set = "serverBconnection" and alert.
> Next packet tagged discard. Rigth?
> -----Mensaje original-----
> De: L0rd Ch0de1m0rt [mailto:l0rdch0de1m0rt at ...2420...]
> Enviado el: Miércoles, 21 de Abril de 2010 7:56
> Para: Guillermo Morales
> CC: snort-sigs at lists.sourceforge.net
> Asunto: Re: [Snort-sigs] Count TCP requeriments to server.
> Hello. While not super efficient, you could detect TCP SYN packets to
> the server. Of course, this doesn't mean a full connection has been
> made, just a request for a connection. Something like:
> alert tcp any any -> $SERVER_B any (msg:"Connection to Server B
> attempted"; flags:S; sid:313370000; rev:1;)
> Depending on where the server sits and possible firewall rules in
> front of it, this could lead to a lot of false positives from things
> like scanners. So instead of the above, you could detect the SYN/ACK
> from the server (the second part of the TCP three way handshake).
> This would only only alert on connection attempts to valid (listening)
> alert tcp $SERVER_B any -> any any (msg:"Connection to Server B
> accepted"; flags:S,A; sid:313370001; rev:1;)
> There are also other, also inefficient ways. What about this magic:
> alert tcp any any -> $SERVER_B any (msg:"Established connection to
> Server B detected"; flow:established,to_server;
> flowbits:isnotset,serverBconnection; flowbits:set,serverBconnection;
> sid:313370000; rev:2;)
> Hope this helps.
> -L0rd Ch0de1m0rt
> On Tue, Apr 20, 2010 at 7:46 PM, Guillermo Morales
> <guillermomoralesp at ...2420...> wrote:
>> Hi everybody.
>> I trying to create a local rule to count how clients (A) establish
>> connection to a server (B). But, after established connection, stop count
>> and wait for a new connection from same client o diferent client.
>> I trying to make it with flags but u cant do it.
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs