Snort mailing list archives
Re: Count TCP requeriments to server.
From: Guillermo Morales <guillermomoralesp () gmail com>
Date: Thu, 22 Apr 2010 11:18:28 -0500
It works. Thank you. 2010/4/21 L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Hello. Yes, you are correct. Subsequent packets will not alert this rule since it will only alert if serverBconnection is not set and the first time a packet is detected from an established connection, an alert does happen and the serverBconnection flag is set using 'flowbits:set,serverBconnection;'. I haven't tested it but I think it will work. Of course you will also need to have the $SERVER_B variable set correctly or tweak the variable name as necessary for your environment. Make sense? Cheers. -L0rd Ch0de1m0rt On Wed, Apr 21, 2010 at 1:42 PM, Guillermo Morales <guillermomoralesp () gmail com> wrote:This last rule: alert tcp any any -> $SERVER_B any (msg:"Established connection to ServerBdetected"; flow:established,to_server;flowbits:isnotset,serverBconnection;flowbits:set,serverBconnection;sid:313370000; rev:2;) means: The first established connection packet: check if it is not tagged with "serverBconnection", if it isnt, set = "serverBconnection" and alert. Next packet tagged discard. Rigth? -----Mensaje original----- De: L0rd Ch0de1m0rt [mailto:l0rdch0de1m0rt () gmail com] Enviado el: MiƩrcoles, 21 de Abril de 2010 7:56 Para: Guillermo Morales CC: snort-sigs () lists sourceforge net Asunto: Re: [Snort-sigs] Count TCP requeriments to server. Hello. While not super efficient, you could detect TCP SYN packets to the server. Of course, this doesn't mean a full connection has been made, just a request for a connection. Something like: alert tcp any any -> $SERVER_B any (msg:"Connection to Server B attempted"; flags:S; sid:313370000; rev:1;) Depending on where the server sits and possible firewall rules in front of it, this could lead to a lot of false positives from things like scanners. So instead of the above, you could detect the SYN/ACK from the server (the second part of the TCP three way handshake). This would only only alert on connection attempts to valid (listening) services: alert tcp $SERVER_B any -> any any (msg:"Connection to Server B accepted"; flags:S,A; sid:313370001; rev:1;) There are also other, also inefficient ways. What about this magic: alert tcp any any -> $SERVER_B any (msg:"Established connection to Server B detected"; flow:established,to_server; flowbits:isnotset,serverBconnection; flowbits:set,serverBconnection; sid:313370000; rev:2;) Hope this helps. Cheers. -L0rd Ch0de1m0rt On Tue, Apr 20, 2010 at 7:46 PM, Guillermo Morales <guillermomoralesp () gmail com> wrote:Hi everybody. I trying to create a local rule to count how clients (A) establish connection to a server (B). But, after established connection, stopcountand wait for a new connection from same client o diferent client. I trying to make it with flags but u cant do it.------------------------------------------------------------------------------_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Count TCP requeriments to server. Guillermo Morales (Apr 20)
- Re: Count TCP requeriments to server. L0rd Ch0de1m0rt (Apr 21)
- Re: Count TCP requeriments to server. Guillermo Morales (Apr 21)
- Re: Count TCP requeriments to server. L0rd Ch0de1m0rt (Apr 21)
- Re: Count TCP requeriments to server. Guillermo Morales (Apr 22)
- Re: Count TCP requeriments to server. Guillermo Morales (Apr 21)
- Re: Count TCP requeriments to server. L0rd Ch0de1m0rt (Apr 21)