[Snort-users] snort rules to detect user and software trespass

Hamid Ghanbari hamid.gh at ...11827...
Fri Feb 15 13:40:19 EST 2013


I am trying to find some snort rules to explicitly log the connection state. I would like to log the below packet headers.  

                ## S0           Connection attempt seen, no reply.
		## S1           Connection established, not terminated.  
		## SF           Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two              apart because for S1 there will not be any byte counts in the summary, while for SF there will be.
		## REJ          Connection attempt rejected.
		## S2           Connection established and close attempt by originator seen (but no reply from responder).
		## S3           Connection established and close attempt by responder seen (but no reply from originator).
		## RSTO         Connection established, originator aborted (sent a RST).
		## RSTR         Established, responder aborted.
		## RSTOS0       Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.
		## RSTRH        Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.
		## SH           Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open).
		## SHR          Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.
		## OTH          No SYN seen, just midstream traffic (a "partial connection" that was not later closed).

I am looking for a snort rules to get the log connection state particularly.  I would also like to have some snort rules to detect unauthorized log in, privileged abuse and top of that software trespass such as virus, worm and trojan horse.  

I have Snort 2.9.4 on a Fedora 17 x64 and I am using Barnyard 2.1.9 to connect the snort output to a database and using base 1.4.5 to analyse the data.




More information about the Snort-users mailing list