Re: Count TCP requeriments to server.

[L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>]

Hello.  Yes, you are correct.  Subsequent packets will not alert this
rule since it will only alert if serverBconnection is not set and the
first time a packet is detected from an established connection, an
alert does happen and the serverBconnection flag is set using
'flowbits:set,serverBconnection;'.  I haven't tested it but I think it
will work.  Of course you will also need to have the $SERVER_B
variable set correctly or tweak the variable name as necessary for
your environment.

Make sense?

Cheers.

-L0rd Ch0de1m0rt

On Wed, Apr 21, 2010 at 1:42 PM, Guillermo Morales
<guillermomoralesp () gmail com> wrote:
> This last rule:
>
> alert tcp any any -> $SERVER_B any (msg:"Established connection to Server B
> detected"; flow:established,to_server; flowbits:isnotset,serverBconnection;
> flowbits:set,serverBconnection;sid:313370000; rev:2;)
>
> means:
>
> The first established connection packet: check if it is not tagged with
> "serverBconnection", if it isnt, set = "serverBconnection" and alert.
> Next packet tagged discard. Rigth?
>
>
>
>
>
> -----Mensaje original-----
> De: L0rd Ch0de1m0rt [mailto:l0rdch0de1m0rt () gmail com]
> Enviado el: Miércoles, 21 de Abril de 2010 7:56
> Para: Guillermo Morales
> CC: snort-sigs () lists sourceforge net
> Asunto: Re: [Snort-sigs] Count TCP requeriments to server.
>
> Hello.  While not super efficient, you could detect TCP SYN packets to
> the server.  Of course, this doesn't mean a full connection has been
> made, just a request for a connection.  Something like:
>
> alert tcp any any -> $SERVER_B any (msg:"Connection to Server B
> attempted"; flags:S; sid:313370000; rev:1;)
>
> Depending on where the server sits and possible firewall rules in
> front of it, this could lead to a lot of false positives from things
> like scanners.  So instead of the above, you could detect the SYN/ACK
> from the server (the second part of the TCP three way handshake).
> This would only only alert on connection attempts to valid (listening)
> services:
>
> alert tcp $SERVER_B any -> any any (msg:"Connection to Server B
> accepted"; flags:S,A; sid:313370001; rev:1;)
>
> There are also other, also inefficient ways.  What about this magic:
>
> alert tcp any any -> $SERVER_B any (msg:"Established connection to
> Server B detected"; flow:established,to_server;
> flowbits:isnotset,serverBconnection;  flowbits:set,serverBconnection;
> sid:313370000; rev:2;)
>
> Hope this helps.
>
> Cheers.
>
> -L0rd Ch0de1m0rt
>
> On Tue, Apr 20, 2010 at 7:46 PM, Guillermo Morales
> <guillermomoralesp () gmail com> wrote:
> > Hi everybody.
> > I trying to create a local rule to count how clients (A) establish
> > connection to a server (B). But, after established connection, stop count
> > and wait for a new connection from same client o diferent client.
> >
> > I trying to make it with flags but u cant do it.
> ----------------------------------------------------------------------------
> --
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs