Snort mailing list archives
Re: Count TCP requeriments to server.
From: "Guillermo Morales" <guillermomoralesp () gmail com>
Date: Wed, 21 Apr 2010 13:42:58 -0500
This last rule: alert tcp any any -> $SERVER_B any (msg:"Established connection to Server B detected"; flow:established,to_server; flowbits:isnotset,serverBconnection; flowbits:set,serverBconnection;sid:313370000; rev:2;) means: The first established connection packet: check if it is not tagged with "serverBconnection", if it isnt, set = "serverBconnection" and alert. Next packet tagged discard. Rigth? -----Mensaje original----- De: L0rd Ch0de1m0rt [mailto:l0rdch0de1m0rt () gmail com] Enviado el: MiƩrcoles, 21 de Abril de 2010 7:56 Para: Guillermo Morales CC: snort-sigs () lists sourceforge net Asunto: Re: [Snort-sigs] Count TCP requeriments to server. Hello. While not super efficient, you could detect TCP SYN packets to the server. Of course, this doesn't mean a full connection has been made, just a request for a connection. Something like: alert tcp any any -> $SERVER_B any (msg:"Connection to Server B attempted"; flags:S; sid:313370000; rev:1;) Depending on where the server sits and possible firewall rules in front of it, this could lead to a lot of false positives from things like scanners. So instead of the above, you could detect the SYN/ACK from the server (the second part of the TCP three way handshake). This would only only alert on connection attempts to valid (listening) services: alert tcp $SERVER_B any -> any any (msg:"Connection to Server B accepted"; flags:S,A; sid:313370001; rev:1;) There are also other, also inefficient ways. What about this magic: alert tcp any any -> $SERVER_B any (msg:"Established connection to Server B detected"; flow:established,to_server; flowbits:isnotset,serverBconnection; flowbits:set,serverBconnection; sid:313370000; rev:2;) Hope this helps. Cheers. -L0rd Ch0de1m0rt On Tue, Apr 20, 2010 at 7:46 PM, Guillermo Morales <guillermomoralesp () gmail com> wrote:
Hi everybody. I trying to create a local rule to count how clients (A) establish connection to a server (B). But, after established connection, stop count and wait for a new connection from same client o diferent client. I trying to make it with flags but u cant do it.
---------------------------------------------------------------------------- --
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Count TCP requeriments to server. Guillermo Morales (Apr 20)
- Re: Count TCP requeriments to server. L0rd Ch0de1m0rt (Apr 21)
- Re: Count TCP requeriments to server. Guillermo Morales (Apr 21)
- Re: Count TCP requeriments to server. L0rd Ch0de1m0rt (Apr 21)
- Re: Count TCP requeriments to server. Guillermo Morales (Apr 22)
- Re: Count TCP requeriments to server. Guillermo Morales (Apr 21)
- Re: Count TCP requeriments to server. L0rd Ch0de1m0rt (Apr 21)