Snort mailing list archives
Re: Alerting on internal TCP connection attempts to non-existent services or hosts .
From: "Stark, Vernon L." <Vernon.Stark () jhuapl edu>
Date: Tue, 3 Dec 2013 16:59:21 -0500
We have good luck with rules that look for the SYN packet used to begin a TCP session. So, you might try the following: alert tcp any any -> any 3389 (sid:100000; msg:"RDP Detected"; flags:S; ) Vern -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Tuesday, December 03, 2013 4:51 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Alerting on internal TCP connection attempts to non-existent services or hosts . On 2013-12-03 06:58, Jonathan Heard wrote:
Alerting on internal TCP connection attempts to non-existent services or hosts Hi All, I'm trying to configure snort in a closed network (i.e. no internet) and I really want to be able to receive alerts if snort ever sees particular types of connection on the wire, regardless of whether it actually reaches a host. e.g. If someone so much as tries to establish a telnet or ftp connection from an internal host to any ip address, I want to know about it. Snort is running in passive mode and is receiving all traffic for analysis via an ERSPAN session (i.e. snort is decoding almost 100% GRE inbound). It's version "2.9.5.3 GRE (Build 132)" and I compiled it myself from source using mainly the default config options. At present a rule such as: alert tcp any any -> any 3389 (sid:100000; msg:"RDP Detected";) ...only fires when I establish a successful TCP connection between two hosts on the Monitored VLAN - This includes just using 'telnet <ip_address> 3389'. However if I use the IP address of either a non-existent server in the subnet, or a server which is not listening on port 3389 then snort doesn't log any alerts for this rule :-( If I run 'snort -v' I can see the captured TCP packet leaving the host which initiated the connection, so I know snort is seeing it - But I cannot find a way to make it react. The packet is represented by snort -v as follows (with some info redacted): <Date/Time> <SRC_IP>:58978 -> <DEST_IP>:3389 TCP TTL: 128 TOS:0x0 ID:XXXXX IpLen: 20 DgmLen:52 DF ******S* Seq: 0xXXXXXXXX Ack: 0x0 Win: 0x2000 TcpLen: 32 TCP Options (6) => MSS: 1260 NOP WS: 8 NOP NOP SackOK I'm using the snort.conf which comes with the snort free subscription ruleset - I've tried stripping it back to a very basic config with most of the preprocessors and stock rules disabled but the behaviour remains the same. Is it possible to achieve this and if so how please? Many Thanks in advance Jonathan
Wonder if something like the below would work: alert tcp any 3389 -> any any (msg:"RDP RST Packet Detected"; flow:stateless; flags:RA+; sid:100000;) This should alert on the reset packet sent from the machine that doesn't have 3389 open on it. James ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Alerting on internal TCP connection attempts to non-existent services or hosts . Jonathan Heard (Dec 03)
- Re: Alerting on internal TCP connection attempts to non-existent services or hosts . James Lay (Dec 03)
- Re: Alerting on internal TCP connection attempts to non-existent services or hosts . Stark, Vernon L. (Dec 03)
- Re: Alerting on internal TCP connection attemptsto non-existent services or hosts . . Jonathan Heard (Dec 05)
- Re: Alerting on internal TCP connection attempts to non-existent services or hosts . Stark, Vernon L. (Dec 03)
- Re: Alerting on internal TCP connection attempts to non-existent services or hosts . James Lay (Dec 03)