At 03:09 PM 8/18/2004, wbenetti@webslayer.net wrote:
I would like to write a snort rule that alarms on a TCP segment
that doesn't correspond to any established TCP session. I would also like
to take TCP SYNs out of consideration for this rule, since some of them
would be caught by a rule that does this.
To clarify: I occasionally see frames destined to a client machine
that have the proper seq/ack numbers and sockets, but the source address
is different than the IP address of the server that is servicing the
request. I believe that this is a bug in a hardware vendor, but I'd like
to write a rule to keep an eye on things. Is this something that snort
can detect?
use the detect_state_problems option to the stream4 preprocessor.. no need
to write a rule.
Other alternatives include using nearly any stateful firewall, such as
ipTables, and having a "last rule" which denies and logs all packets that
were not accepted as a part of open state sessions elsewhere. Cisco PIX
firewalls also log this kind of out-of-state packet if you have your log
level low enough.
However, be aware that there are a LOT of completely broken tcp stacks out
there, so you will generate a lot of log traffic this way.
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
