Snort mailing list archives
Re: Why can't I see tcp flags for a triggered alert (snort+base)
From: John Huss <john.huss () thebunker net>
Date: Wed, 21 Jan 2009 14:34:20 +0000
Hello Joel Esler wrote:
Flags in a TCP packet are recorded. Can you post your snort.conf, command line start up, rule, and even a pcap ? Joel
Sure thing, snort.conf copied below, stripped of comments for shortness: ------------------- /etc/snort/snort.conf ------------------- var HOME_NET [6.6.6.6/19,7.7.7.7/20] var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /etc/snort/rules config disable_tcpopt_experimental_alerts dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/ dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules ------------------- cli-startup ------------------- /usr/bin/snort -D -u snort -i eth1 -l /var/log/snort -c /etc/snort/snort.conf ------------------- my first rule ------------------- Be kind please, it's my first attempt! ;) (from local.rules) alert tcp any any -> 1.2.3.4 22 (msg: "Johnny Alert 1"; \ sid:1007502; rev:1; classtype:denial-of-service; priority:10; flags:S;) # With this rule, my aim is for the alert is to alert when it matches traffic hitting 1.2.3.4 port 22 with the SYN flag set. ------------------- pcap ------------------- (Is tcpdump copy and paste ok?) 14:23:10.507755 IP mr.attacker.naughty.com.58905 > 1.2.3.4.ssh: S 227433107:227433107(0) win 4096 14:23:10.508114 IP 1.2.3.4.ssh > mr.attacker.naughty.com.58905: S 951878926:951878926(0) ack 227433108 win 65535 <mss 1460> 14:23:10.514148 IP mr.attacker.naughty.com.58906 > 1.2.3.4.ssh: S 1514290818:1514290818(0) win 4096 14:23:10.514332 IP 1.2.3.4.ssh > mr.attacker.naughty.com.58906: S 2294986114:2294986114(0) ack 1514290819 win 65535 <mss 1460> 14:23:10.516145 IP mr.attacker.naughty.com.58907 > 1.2.3.4.ssh: S 441396281:441396281(0) win 4096 14:23:10.516407 IP 1.2.3.4.ssh > mr.attacker.naughty.com.58907: S 1955258624:1955258624(0) ack 441396282 win 65535 <mss 1460> 14:23:10.520766 IP mr.attacker.naughty.com.58908 > 1.2.3.4.ssh: S 871792875:871792875(0) win 4096 14:23:10.521232 IP 1.2.3.4.ssh > mr.attacker.naughty.com.56040: S 136192523:136192523(0) ack 477563074 win 65535 <mss 1460> 14:23:10.521462 IP 1.2.3.4.ssh > mr.attacker.naughty.com.58908: S 262528392:262528392(0) ack 871792876 win 65535 <mss 1460> 14:23:10.522833 IP mr.attacker.naughty.com.58909 > 1.2.3.4.ssh: S 1051856133:1051856133(0) win 4096 14:23:10.523152 IP 1.2.3.4.ssh > mr.attacker.naughty.com.58909: S 2320831878:2320831878(0) ack 1051856134 win 65535 <mss 1460> - Hope that helps - and thanks again, any advice is very gratefully received. Kind Regards, Johnny ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) pieter claassen (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Shirk Dog (Jan 22)