[Snort-sigs] Count TCP requeriments to server.

Guillermo Morales guillermomoralesp at ...2420...
Thu Apr 22 12:18:28 EDT 2010


It works.
Thank you.



2010/4/21 L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...2420...>

> Hello.  Yes, you are correct.  Subsequent packets will not alert this
> rule since it will only alert if serverBconnection is not set and the
> first time a packet is detected from an established connection, an
> alert does happen and the serverBconnection flag is set using
> 'flowbits:set,serverBconnection;'.  I haven't tested it but I think it
> will work.  Of course you will also need to have the $SERVER_B
> variable set correctly or tweak the variable name as necessary for
> your environment.
>
> Make sense?
>
> Cheers.
>
> -L0rd Ch0de1m0rt
>
> On Wed, Apr 21, 2010 at 1:42 PM, Guillermo Morales
> <guillermomoralesp at ...2420...> wrote:
> > This last rule:
> >
> > alert tcp any any -> $SERVER_B any (msg:"Established connection to Server
> B
> > detected"; flow:established,to_server;
> flowbits:isnotset,serverBconnection;
> > flowbits:set,serverBconnection;sid:313370000; rev:2;)
> >
> > means:
> >
> > The first established connection packet: check if it is not tagged with
> > "serverBconnection", if it isnt, set = "serverBconnection" and alert.
> > Next packet tagged discard. Rigth?
> >
> >
> >
> >
> >
> > -----Mensaje original-----
> > De: L0rd Ch0de1m0rt [mailto:l0rdch0de1m0rt at ...2420...]
> > Enviado el: Miércoles, 21 de Abril de 2010 7:56
> > Para: Guillermo Morales
> > CC: snort-sigs at lists.sourceforge.net
> > Asunto: Re: [Snort-sigs] Count TCP requeriments to server.
> >
> > Hello.  While not super efficient, you could detect TCP SYN packets to
> > the server.  Of course, this doesn't mean a full connection has been
> > made, just a request for a connection.  Something like:
> >
> > alert tcp any any -> $SERVER_B any (msg:"Connection to Server B
> > attempted"; flags:S; sid:313370000; rev:1;)
> >
> > Depending on where the server sits and possible firewall rules in
> > front of it, this could lead to a lot of false positives from things
> > like scanners.  So instead of the above, you could detect the SYN/ACK
> > from the server (the second part of the TCP three way handshake).
> > This would only only alert on connection attempts to valid (listening)
> > services:
> >
> > alert tcp $SERVER_B any -> any any (msg:"Connection to Server B
> > accepted"; flags:S,A; sid:313370001; rev:1;)
> >
> > There are also other, also inefficient ways.  What about this magic:
> >
> > alert tcp any any -> $SERVER_B any (msg:"Established connection to
> > Server B detected"; flow:established,to_server;
> > flowbits:isnotset,serverBconnection;  flowbits:set,serverBconnection;
> > sid:313370000; rev:2;)
> >
> > Hope this helps.
> >
> > Cheers.
> >
> > -L0rd Ch0de1m0rt
> >
> > On Tue, Apr 20, 2010 at 7:46 PM, Guillermo Morales
> > <guillermomoralesp at ...2420...> wrote:
> >> Hi everybody.
> >> I trying to create a local rule to count how clients (A) establish
> >> connection to a server (B). But, after established connection, stop
> count
> >> and wait for a new connection from same client o diferent client.
> >>
> >> I trying to make it with flags but u cant do it.
> >>
> >>
> >
> ----------------------------------------------------------------------------
> > --
> >>
> >> _______________________________________________
> >> Snort-sigs mailing list
> >> Snort-sigs at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >>
> >>
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100422/863c38cc/attachment.html>


More information about the Snort-sigs mailing list