[Snort-users] tracking failing TCP connection attempts with snort

Jim Hendrick jrhendri at ...9784...
Wed Nov 17 04:00:04 EST 2004

Thanks Stephane,

	I really am looking for a way to monitor a live server that *should*
respond with a SYN/ACK but for some reason fails (server down, etc. so it
won't even send a RST)

	I thought by using snort creatively, it could watch for the inbound
SYN and put the attempt on a queue (by tagging the connection) so that it
could alert *if* the server fails to send the ACK within a reasonable
timeout (I picked 30 sec for the 3,6,12 increasing TCP retry count plus a

	The other thought I have (crude however) is to log (or alert) on
both the SYN and SYN/ACK and using perl to watch the log, adding the inbound
to a connection hash table, starting a timer with alarm(). Then when the ACK
comes in, remove the SYN from the table and when the alarm() fires, spit out
any entries that are still there.

But is should be possible with snort preprocessors.

Thanks for the ideas though!


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of stephane
Sent: Wednesday, November 17, 2004 2:23 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] tracking failing TCP connection attempts with

Jim Hendrick wrote:

>  I am looking for a way to alert (or log) on failing incoming TCP 
alert both on tcp rst packets and icmp host (& port) unreachable 
(TCP-IP  Illustrated by W.Richard Stevens is great if you don't want to 
read ip, tcp & icmp related rfcs).

>For example, if an inbound connection attempts to connect to a server, 
>and the server never responds, I'd like something that can alert.
It should never happen, the server will answer with a RST (or icmp port 
or proto unreachable) packet or the previous hop (router) will generate 
an icmp host unreachable.

>I have been looking at using tagged connections, but I'm not sure how 
>to setup the "alert if a connection is *not* established" logic.
>I know something like this will tag inbound connections from "host" for 
>alert tcp any any -> $HTTP_SERVERS 80 (flags: S; \
>  tag: host, 30, seconds; msg: "incoming http session";)
>But how can I continue and say:
>alert {"magic syntax here": tcp $HTTP_SERVERS 80 -> host \
>  (30 seconds and no SYN/ACK); msg: "failed HTTP connection attempt";)
Could be something like:

alert tcp $HTTP_SERVERS 80 -> any any (flags: R; \
  ; msg: "outgoing http rst - http server down";)
But usually HTTP_SERVERS do not reply to port 80 with a RST packet, they
answer the query.

This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines robust
object and relational technologies, making it a perfect match for Java,
C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list