Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Can we get snort to differentiate between clien t and server?

From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Wed, 5 Sep 2001 10:07:02 -0400
Could you use the dynamic rule support to identify an inbound connection to
the port (ie. the Sync bit's set), and only then activate the DDOS rule?
That prevents connections from $HOME_NET from being picked up.



-----Original Message-----
From: Jason Haar [SMTP:Jason.Haar () trimble co nz]
Sent: Sunday, August 26, 2001 9:05 PM
To:   snort-users () lists sourceforge net
Subject:      [Snort-users] Can we get snort to differentiate between
client and server?

Check out this false-alert generator:

alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client
to
handler"; content: ">"; flags: A+; reference:cve,CAN-2000-0138;
classtype:attempted-dos; sid:247; rev:1;)


What happens is one of the $HOME_NET servers makes a TCP connection to a
remote server. That could be a SMTP, Web, whatever. It *happens* to use
port
12754 as the client port -  contains ">"  - and the rule is triggered.

Shouldn't snort "think" in left-to-right? i.e. 

host1 port1 -> host2 port2

means

if host1 *instigates* a connection to host2, then...

At the moment, host1 could be either the server or the client.

Shouldn't this be changed, or a new option of "directional" be added which
does the same thing? Tonnes of potential false alarms would drop out of
the
loop. 

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: