[Snort-users] snort and statefull inspection

marc riffel riffelmarc at ...125...
Mon Oct 29 04:52:02 EST 2001

Hi all

I have a question about snort and statefull inspection.

I want to implement a rule, so that it is only allowed to connect via
ssh from  to other servers.
Any other inbound or outbound communication should be logged.

So i wrote the rule:
alert tcp any -> any !22 (msg:" serverXY do a not
allowed outbound connection";)
alert tcp any any -> any (msg:"not allowed inbound

The problem is:
If i start a allowed ssh connection from serverXY, snort alerts
because the answer packets from the remote host.
So snort don't realize, that this packets is the answer from the
allowed session.

[**] [1:0:0] not allowed inbound connection[**]
10/23-14:38:44.851600 ->
TCP TTL:255 TOS:0x0 ID:34797 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x9E3C7A0  Ack: 0xB9490CF1  Win: 0x8574  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1263192617 9959961

So with statfull inspection I think it should be possible to solve
this problem.- is it ?

Does anybody know how I can solve this problem....or is it currently
not possibel.

The only solution that I see is if I add the rule
pass tcp any 22 -> any or modify the second rule to
alert tcp any any -> !22 (msg:"not allowed inbound

But with this rule it is possible to connect from every server to my
server if the source port is 22.....hmmm, not a real solution.

Sorry for my english.

kind regards

Downloaden Sie MSN Explorer kostenlos unter http://explorer.msn.de/intl.asp

More information about the Snort-users mailing list