[Snort-users] q about alerts

Phil Wood cpw at ...440...
Fri May 31 08:19:02 EDT 2002


On Thu, May 30, 2002 at 06:02:26PM -0700, Weber Mail wrote:
> I want to be alerted when a specific event occurs, the rule i have made
> triggers the alert correctly, however, it continues to alert like 4 or 5
> times per second, my purpose is alerting upon a telnet connection to machine
> x by machines, x,y and z then tcpdump
> looks something like this
> 
> var telclients [192.168.1.3/32,111.222.111.222/32,1.2.2.4/32]
> var telserver [192.168.1.1/24]
> alert tcp $telclients any -> $telservers any (msg:"Telnet session in
> progress";)
> output log_tcpdump: telnets.log
> 

The good news is the protocol is tcp which is somewhat stateful as in:

                              
     State                                Client Flags     Server Flags
                                          C|E|U|A|P|R|S|F  C|E|U|A|P|R|S|F
     ======================================
  1. Successful Connection establishment  
                                          0|0|0|0|0|0|S|0 
                                                           0|0|0|A|0|0|S|0
                                          0|0|0|A|0|0|0|0
                               
  2. Data transfer                               (it's a 2 way street)
                                                    0|0|0|A|X|0|0|0
                                                    0|0|X|A|X|0|0|0

  3. Connection termination                              ditto)
                                                    0|0|0|A|X|0|0|F
                                                    0|0|0|A|0|0|0|F
                                                    0|0|0|A|0|0|0|0

> I'd prefer an alert upon the initial connection, and an alert on any new
> connection, but i currently get like 5 alerts per second, on just 1
> connection.

All tcp "connections" are "new", snort does not keep track of the first time
it saw a connection, versus subsequent connections.

I'd change the rule to just alert on the initial SYN packet (also, I'd change
the service port to telnet (23) to match your names for the other variables
and logfile name.  Otherwise, you will get a lot more than you bargained for.

var telclients [192.168.1.3/32,111.222.111.222/32,1.2.2.4/32]
var telserver [192.168.1.1/24]
var TELNET 23

output log_tcpdump: telnets.log

alert tcp $telclients any -> $telservers $TELNET (msg: "Telnet session in progress"; flags: S;)

> 
> any ideas
> 
> Don
> 
> 
> _______________________________________________________________
> 
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list