Snort mailing list archives
Re: snort and statefull inspection
From: Brett.Bender () trilogy com
Date: Mon, 29 Oct 2001 14:37:09 -0600
marc riffel wrote: I want to implement a rule, so that it is only allowed to connect via ssh from 192.168.66.99 to other servers. Any other inbound or outbound communication should be logged. So i wrote the rule: alert tcp 192.168.66.99 any -> any !22 (msg:" serverXY do a not allowed outbound connection";) alert tcp any any -> 192.168.66.99 any (msg:"not allowed inbound connection";) Use the "flags" option on your rules. The first step in making a TCP connection is a packet with the SYN flag set. So you can write rules: alert tcp 192.168.66.99 any -> any !22 (msg:"serverXY making prohibited connection out"; flags: S+;) alert tcp any any -> 192.168.66.99 any (msg:"serverXY receiving prohibited connection in"; flags: S+;) These will catch the attempt to establish the connection. You can write a similar rule (opposite direction, flags: SA+) for the SYN-ACK reply if you also want to know if the connection attempt was successful. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort and statefull inspection marc riffel (Oct 29)
- <Possible follow-ups>
- Re: snort and statefull inspection Brett . Bender (Oct 29)