[Snort-users] Can we get snort to differentiate between clien t and server?

Fraser Hugh hugh_fraser at ...2804...
Wed Sep 5 07:08:04 EDT 2001


Could you use the dynamic rule support to identify an inbound connection to
the port (ie. the Sync bit's set), and only then activate the DDOS rule?
That prevents connections from $HOME_NET from being picked up.


> -----Original Message-----
> From:	Jason Haar [SMTP:Jason.Haar at ...294...]
> Sent:	Sunday, August 26, 2001 9:05 PM
> To:	snort-users at lists.sourceforge.net
> Subject:	[Snort-users] Can we get snort to differentiate between
> client and server?
> 
> Check out this false-alert generator:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client
> to
> handler"; content: ">"; flags: A+; reference:cve,CAN-2000-0138;
> classtype:attempted-dos; sid:247; rev:1;)
> 
> 
> What happens is one of the $HOME_NET servers makes a TCP connection to a
> remote server. That could be a SMTP, Web, whatever. It *happens* to use
> port
> 12754 as the client port -  contains ">"  - and the rule is triggered.
> 
> Shouldn't snort "think" in left-to-right? i.e. 
> 
> host1 port1 -> host2 port2
> 
> means
> 
> if host1 *instigates* a connection to host2, then...
> 
> At the moment, host1 could be either the server or the client.
> 
> Shouldn't this be changed, or a new option of "directional" be added which
> does the same thing? Tonnes of potential false alarms would drop out of
> the
> loop. 
> 
> -- 
> Cheers
> 
> Jason Haar
> 
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list