[Snort-users] Alert Rule for Packet Crafting Tool

Erickson Brent W KPWA erickson at ...160...
Sat Nov 10 15:01:06 EST 2001


Hello Snorters,

I am trying to write an alert rule for capturing possible packet crafting
tools.

For example, if I run HPING like so:

hping -V -c 1 -S -p 21 host

I will send a tcp packet to port 21 with the syn flag set and no tcp options
with a data gram length of 40 bytes which is almost never seen from any
operation system on an initial syn packet. Almost all if not all operating
systems will set various tcp options for a data gram length of 44 to 60
bytes.

I know how to do this with BPF filters and Snort, but the problem is if I
run the BPF filter call along with the normal rules and the BPF filter
triggers, I won't know what IP addressed folder holds the event that
triggered the filter.

I thought I could write a Snort alert rule for this using dsize, but dsize
checks the packet data payload.

Does anyone have any ideas?

Thank you for your time and help.

Brent Erickson





More information about the Snort-users mailing list