Snort mailing list archives
Re: q about alerts
From: Phil Wood <cpw () lanl gov>
Date: Fri, 31 May 2002 09:18:04 -0600
On Thu, May 30, 2002 at 06:02:26PM -0700, Weber Mail wrote:
I want to be alerted when a specific event occurs, the rule i have made triggers the alert correctly, however, it continues to alert like 4 or 5 times per second, my purpose is alerting upon a telnet connection to machine x by machines, x,y and z then tcpdump looks something like this var telclients [192.168.1.3/32,111.222.111.222/32,1.2.2.4/32] var telserver [192.168.1.1/24] alert tcp $telclients any -> $telservers any (msg:"Telnet session in progress";) output log_tcpdump: telnets.log
The good news is the protocol is tcp which is somewhat stateful as in: State Client Flags Server Flags C|E|U|A|P|R|S|F C|E|U|A|P|R|S|F ====================================== 1. Successful Connection establishment 0|0|0|0|0|0|S|0 0|0|0|A|0|0|S|0 0|0|0|A|0|0|0|0 2. Data transfer (it's a 2 way street) 0|0|0|A|X|0|0|0 0|0|X|A|X|0|0|0 3. Connection termination ditto) 0|0|0|A|X|0|0|F 0|0|0|A|0|0|0|F 0|0|0|A|0|0|0|0
I'd prefer an alert upon the initial connection, and an alert on any new connection, but i currently get like 5 alerts per second, on just 1 connection.
All tcp "connections" are "new", snort does not keep track of the first time it saw a connection, versus subsequent connections. I'd change the rule to just alert on the initial SYN packet (also, I'd change the service port to telnet (23) to match your names for the other variables and logfile name. Otherwise, you will get a lot more than you bargained for. var telclients [192.168.1.3/32,111.222.111.222/32,1.2.2.4/32] var telserver [192.168.1.1/24] var TELNET 23 output log_tcpdump: telnets.log alert tcp $telclients any -> $telservers $TELNET (msg: "Telnet session in progress"; flags: S;)
any ideas Don _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sorry...upgrade question again Hugo Ferr (May 28)
- Re: sorry...upgrade question again Erek Adams (May 28)
- Re: sorry...upgrade question again Hugo Ferr (May 29)
- RE: sorry...upgrade question again Adam Migus (May 29)
- Re: sorry...upgrade question again Hugo Ferr (May 30)
- q about alerts Weber Mail (May 30)
- Re: q about alerts Phil Wood (May 31)
- Re: sorry...upgrade question again Hugo Ferr (May 29)
- Re: sorry...upgrade question again Erek Adams (May 28)