[Snort-users] Alerting on internal TCP connection attempts to non-existent services or hosts .
jlay at ...13475...
Tue Dec 3 16:51:09 EST 2013
On 2013-12-03 06:58, Jonathan Heard wrote:
> Alerting on internal TCP connection attempts to non-existent services
> or hosts
> Hi All,
> I'm trying to configure snort in a closed network (i.e. no internet)
> and I really want to be able to receive alerts if snort ever sees
> particular types of connection on the wire, regardless of whether it
> actually reaches a host. e.g. If someone so much as tries to
> a telnet or ftp connection from an internal host to any ip address, I
> want to know about it.
> Snort is running in passive mode and is receiving all traffic for
> analysis via an ERSPAN session (i.e. snort is decoding almost 100%
> inbound). It's version "18.104.22.168 GRE (Build 132)" and I compiled it
> myself from source using mainly the default config options.
> At present a rule such as:
> alert tcp any any -> any 3389 (sid:100000; msg:"RDP Detected";)
> ...only fires when I establish a successful TCP connection between
> two hosts on the Monitored VLAN - This includes just using 'telnet
> <ip_address> 3389'. However if I use the IP address of either a
> non-existent server in the subnet, or a server which is not listening
> on port 3389 then snort doesn't log any alerts for this rule :-(
> If I run 'snort -v' I can see the captured TCP packet leaving the
> host which initiated the connection, so I know snort is seeing it -
> But I cannot find a way to make it react.
> The packet is represented by snort -v as follows (with some info
> <Date/Time> <SRC_IP>:58978 -> <DEST_IP>:3389
> TCP TTL: 128 TOS:0x0 ID:XXXXX IpLen: 20 DgmLen:52 DF
> ******S* Seq: 0xXXXXXXXX Ack: 0x0 Win: 0x2000 TcpLen: 32
> TCP Options (6) => MSS: 1260 NOP WS: 8 NOP NOP SackOK
> I'm using the snort.conf which comes with the snort free
> ruleset - I've tried stripping it back to a very basic config with
> most of the preprocessors and stock rules disabled but the behaviour
> remains the same.
> Is it possible to achieve this and if so how please?
> Many Thanks in advance
Wonder if something like the below would work:
alert tcp any 3389 -> any any (msg:"RDP RST Packet Detected";
flow:stateless; flags:RA+; sid:100000;)
This should alert on the reset packet sent from the machine that
doesn't have 3389 open on it.
More information about the Snort-users