Snort mailing list archives
RE: Can we get snort to differentiate between clien t and server?
From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Wed, 5 Sep 2001 10:07:02 -0400
Could you use the dynamic rule support to identify an inbound connection to the port (ie. the Sync bit's set), and only then activate the DDOS rule? That prevents connections from $HOME_NET from being picked up.
-----Original Message----- From: Jason Haar [SMTP:Jason.Haar () trimble co nz] Sent: Sunday, August 26, 2001 9:05 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Can we get snort to differentiate between client and server? Check out this false-alert generator: alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; content: ">"; flags: A+; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:247; rev:1;) What happens is one of the $HOME_NET servers makes a TCP connection to a remote server. That could be a SMTP, Web, whatever. It *happens* to use port 12754 as the client port - contains ">" - and the rule is triggered. Shouldn't snort "think" in left-to-right? i.e. host1 port1 -> host2 port2 means if host1 *instigates* a connection to host2, then... At the moment, host1 could be either the server or the client. Shouldn't this be changed, or a new option of "directional" be added which does the same thing? Tonnes of potential false alarms would drop out of the loop. -- Cheers Jason Haar Unix/Special Projects, Trimble NZ Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Can we get snort to differentiate between clien t and server? Fraser Hugh (Sep 05)