[Snort-users] tracking failing TCP connection attempts with snort

stephane nasdrovisky stephane.nasdrovisky at ...12261...
Tue Nov 16 23:25:00 EST 2004


Jim Hendrick wrote:

>  I am looking for a way to alert (or log) on failing incoming TCP
>connections.
>  
>
alert both on tcp rst packets and icmp host (& port) unreachable 
(TCP-IP  Illustrated by W.Richard Stevens is great if you don't want to 
read ip, tcp & icmp related rfcs).

>For example, if an inbound connection attempts to connect to a server, and
>the server never responds, I'd like something that can alert.
>  
>
It should never happen, the server will answer with a RST (or icmp port 
or proto unreachable) packet or the previous hop (router) will generate 
an icmp host unreachable.

>I have been looking at using tagged connections, but I'm not sure how to
>setup the "alert if a connection is *not* established" logic.
>
>I know something like this will tag inbound connections from "host" for 30
>seconds:
>
>alert tcp any any -> $HTTP_SERVERS 80 (flags: S; \
>  tag: host, 30, seconds; msg: "incoming http session";)
>
>But how can I continue and say:
>
>alert {"magic syntax here": tcp $HTTP_SERVERS 80 -> host \
>  (30 seconds and no SYN/ACK); msg: "failed HTTP connection attempt";)
>  
>
Could be something like:

alert tcp $HTTP_SERVERS 80 -> any any (flags: R; \
  ; msg: "outgoing http rst - http server down";)
But usually HTTP_SERVERS do not reply to port 80 with a RST packet, they answer the query.








More information about the Snort-users mailing list