Re: q about alerts

[Phil Wood <cpw () lanl gov>]

On Thu, May 30, 2002 at 06:02:26PM -0700, Weber Mail wrote:
> I want to be alerted when a specific event occurs, the rule i have made
> triggers the alert correctly, however, it continues to alert like 4 or 5
> times per second, my purpose is alerting upon a telnet connection to machine
> x by machines, x,y and z then tcpdump
> looks something like this
>
> var telclients [192.168.1.3/32,111.222.111.222/32,1.2.2.4/32]
> var telserver [192.168.1.1/24]
> alert tcp $telclients any -> $telservers any (msg:"Telnet session in
> progress";)
> output log_tcpdump: telnets.log

The good news is the protocol is tcp which is somewhat stateful as in:

                              
     State                                Client Flags     Server Flags
                                          C|E|U|A|P|R|S|F  C|E|U|A|P|R|S|F
     ======================================
  1. Successful Connection establishment  
                                          0|0|0|0|0|0|S|0 
                                                           0|0|0|A|0|0|S|0
                                          0|0|0|A|0|0|0|0
                               
  2. Data transfer                               (it's a 2 way street)
                                                    0|0|0|A|X|0|0|0
                                                    0|0|X|A|X|0|0|0

  3. Connection termination                              ditto)
                                                    0|0|0|A|X|0|0|F
                                                    0|0|0|A|0|0|0|F
                                                    0|0|0|A|0|0|0|0

> I'd prefer an alert upon the initial connection, and an alert on any new
> connection, but i currently get like 5 alerts per second, on just 1
> connection.

All tcp "connections" are "new", snort does not keep track of the first time
it saw a connection, versus subsequent connections.

I'd change the rule to just alert on the initial SYN packet (also, I'd change
the service port to telnet (23) to match your names for the other variables
and logfile name.  Otherwise, you will get a lot more than you bargained for.

var telclients [192.168.1.3/32,111.222.111.222/32,1.2.2.4/32]
var telserver [192.168.1.1/24]
var TELNET 23

output log_tcpdump: telnets.log

alert tcp $telclients any -> $telservers $TELNET (msg: "Telnet session in progress"; flags: S;)

> any ideas
>
> Don
>
>
> _______________________________________________________________
>
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users