[Snort-users] snort and statefull inspection
riffelmarc at ...125...
Mon Oct 29 04:52:02 EST 2001
I have a question about snort and statefull inspection.
I want to implement a rule, so that it is only allowed to connect via
ssh from 192.168.66.99 to other servers.
Any other inbound or outbound communication should be logged.
So i wrote the rule:
alert tcp 192.168.66.99 any -> any !22 (msg:" serverXY do a not
allowed outbound connection";)
alert tcp any any -> 192.168.66.99 any (msg:"not allowed inbound
The problem is:
If i start a allowed ssh connection from serverXY, snort alerts
because the answer packets from the remote host.
So snort don't realize, that this packets is the answer from the
[**] [1:0:0] not allowed inbound connection[**]
10/23-14:38:44.851600 192.168.66.22:22 -> 192.168.66.99:32813
TCP TTL:255 TOS:0x0 ID:34797 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x9E3C7A0 Ack: 0xB9490CF1 Win: 0x8574 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1263192617 9959961
So with statfull inspection I think it should be possible to solve
this problem.- is it ?
Does anybody know how I can solve this problem....or is it currently
The only solution that I see is if I add the rule
pass tcp any 22 -> 192.168.66.99 any or modify the second rule to
alert tcp any any -> 192.168.66.99 !22 (msg:"not allowed inbound
But with this rule it is possible to connect from every server to my
server if the source port is 22.....hmmm, not a real solution.
Sorry for my english.
Downloaden Sie MSN Explorer kostenlos unter http://explorer.msn.de/intl.asp
More information about the Snort-users