[Snort-users] Alerting on internal TCP connection attempts to non-existent services or hosts .

Stark, Vernon L. Vernon.Stark at ...383...
Tue Dec 3 16:59:21 EST 2013


We have good luck with rules that look for the SYN packet used to begin a TCP session.  So, you might try the following:

alert tcp any any -> any 3389 (sid:100000; msg:"RDP Detected"; flags:S; )

Vern
-----Original Message-----
From: James Lay [mailto:jlay at ...13475...] 
Sent: Tuesday, December 03, 2013 4:51 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Alerting on internal TCP connection attempts to non-existent services or hosts .

On 2013-12-03 06:58, Jonathan Heard wrote:
> Alerting on internal TCP connection attempts to non-existent services 
> or hosts
>
> Hi All,
>  I'm trying to configure snort in a closed network (i.e. no internet) 
> and I really want to be able to receive alerts if snort ever sees 
> particular types of connection on the wire, regardless of whether it 
> actually reaches a host. e.g. If someone so much as tries to establish 
> a telnet or ftp connection from an internal host to any ip address, I 
> want to know about it.
>
>  Snort is running in passive mode and is receiving all traffic for 
> analysis via an ERSPAN session (i.e. snort is decoding almost 100% GRE 
> inbound). It's version "2.9.5.3 GRE (Build 132)" and I compiled it 
> myself from source using mainly the default config options.
>
>  At present a rule such as:
>
>  alert tcp any any -> any 3389 (sid:100000; msg:"RDP Detected";)
>
>  ...only fires when I establish a successful TCP connection between 
> two hosts on the Monitored VLAN - This includes just using 'telnet 
> <ip_address> 3389'. However if I use the IP address of either a 
> non-existent server in the subnet, or a server which is not listening 
> on port 3389 then snort doesn't log any alerts for this rule :-(
>
>  If I run 'snort -v' I can see the captured TCP packet leaving the 
> host which initiated the connection, so I know snort is seeing it - 
> But I cannot find a way to make it react.
>
>  The packet is represented by snort -v as follows (with some info
> redacted):
>  <Date/Time> <SRC_IP>:58978 -> <DEST_IP>:3389  TCP TTL: 128 TOS:0x0 
> ID:XXXXX IpLen: 20 DgmLen:52 DF
>  ******S* Seq: 0xXXXXXXXX Ack: 0x0 Win: 0x2000 TcpLen: 32  TCP Options 
> (6) => MSS: 1260 NOP WS: 8 NOP NOP SackOK
>
>  I'm using the snort.conf which comes with the snort free subscription 
> ruleset - I've tried stripping it back to a very basic config with 
> most of the preprocessors and stock rules disabled but the behaviour 
> remains the same.
>
>  Is it possible to achieve this and if so how please?
>
>  Many Thanks in advance
>  Jonathan

Wonder if something like the below would work:

alert tcp any 3389 -> any any (msg:"RDP RST Packet Detected"; flow:stateless; flags:RA+; sid:100000;)

This should alert on the reset packet sent from the machine that doesn't have 3389 open on it.

James

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list