[Snort-users] how to detect failing open connection attempts

jrhendri at ...9784... jrhendri at ...9784...
Mon Nov 15 09:21:05 EST 2004

  It seems like something that could be done, but I'm not real sure how.

What I want is to do alerting (or logging) of connection attempts that receive an inbound SYN (to a specific host or network) but no SYN/ACK is ever sent back. 

I simply don't know enough about how snort handles flow or connection "tables" to see an easy way to do this.

I've even thought about a *very* crude combination of tcpdump and a perl script to enter SYNs into a connection table, then delete them after a SYN/ACK is seen, and alerting on ones that never complete using alarm(), but I know there must be a better way...

Any ideas?

Jim Hendrick

