[Snort-users] Alerting on internal TCP connection attempts to non-existent services or hosts .

James Lay jlay at ...13475...
Tue Dec 3 16:51:09 EST 2013


On 2013-12-03 06:58, Jonathan Heard wrote:
> Alerting on internal TCP connection attempts to non-existent services
> or hosts
>
> Hi All,
>  I'm trying to configure snort in a closed network (i.e. no internet)
> and I really want to be able to receive alerts if snort ever sees
> particular types of connection on the wire, regardless of whether it
> actually reaches a host. e.g. If someone so much as tries to 
> establish
> a telnet or ftp connection from an internal host to any ip address, I
> want to know about it.
>
>  Snort is running in passive mode and is receiving all traffic for
> analysis via an ERSPAN session (i.e. snort is decoding almost 100% 
> GRE
> inbound). It's version "2.9.5.3 GRE (Build 132)" and I compiled it
> myself from source using mainly the default config options.
>
>  At present a rule such as:
>
>  alert tcp any any -> any 3389 (sid:100000; msg:"RDP Detected";)
>
>  ...only fires when I establish a successful TCP connection between
> two hosts on the Monitored VLAN - This includes just using 'telnet
> <ip_address> 3389'. However if I use the IP address of either a
> non-existent server in the subnet, or a server which is not listening
> on port 3389 then snort doesn't log any alerts for this rule :-(
>
>  If I run 'snort -v' I can see the captured TCP packet leaving the
> host which initiated the connection, so I know snort is seeing it -
> But I cannot find a way to make it react.
>
>  The packet is represented by snort -v as follows (with some info
> redacted):
>  <Date/Time> <SRC_IP>:58978 -> <DEST_IP>:3389
>  TCP TTL: 128 TOS:0x0 ID:XXXXX IpLen: 20 DgmLen:52 DF
>  ******S* Seq: 0xXXXXXXXX Ack: 0x0 Win: 0x2000 TcpLen: 32
>  TCP Options (6) => MSS: 1260 NOP WS: 8 NOP NOP SackOK
>
>  I'm using the snort.conf which comes with the snort free 
> subscription
> ruleset - I've tried stripping it back to a very basic config with
> most of the preprocessors and stock rules disabled but the behaviour
> remains the same.
>
>  Is it possible to achieve this and if so how please?
>
>  Many Thanks in advance
>  Jonathan

Wonder if something like the below would work:

alert tcp any 3389 -> any any (msg:"RDP RST Packet Detected"; 
flow:stateless; flags:RA+; sid:100000;)

This should alert on the reset packet sent from the machine that 
doesn't have 3389 open on it.

James




More information about the Snort-users mailing list