Alert Rule for Packet Crafting Tool

["Erickson Brent W KPWA" <erickson () kpt nuwc navy mil>]

Hello Snorters,

I am trying to write an alert rule for capturing possible packet crafting
tools.

For example, if I run HPING like so:

hping -V -c 1 -S -p 21 host

I will send a tcp packet to port 21 with the syn flag set and no tcp options
with a data gram length of 40 bytes which is almost never seen from any
operation system on an initial syn packet. Almost all if not all operating
systems will set various tcp options for a data gram length of 44 to 60
bytes.

I know how to do this with BPF filters and Snort, but the problem is if I
run the BPF filter call along with the normal rules and the BPF filter
triggers, I won't know what IP addressed folder holds the event that
triggered the filter.

I thought I could write a Snort alert rule for this using dsize, but dsize
checks the packet data payload.

Does anyone have any ideas?

Thank you for your time and help.

Brent Erickson


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users