Snort mailing list archives
RE: tracking failing TCP connection attempts with snort
From: "Jim Hendrick" <jrhendri () maine rr com>
Date: Wed, 17 Nov 2004 06:59:54 -0500
Thanks Stephane, I really am looking for a way to monitor a live server that *should* respond with a SYN/ACK but for some reason fails (server down, etc. so it won't even send a RST) I thought by using snort creatively, it could watch for the inbound SYN and put the attempt on a queue (by tagging the connection) so that it could alert *if* the server fails to send the ACK within a reasonable timeout (I picked 30 sec for the 3,6,12 increasing TCP retry count plus a little) The other thought I have (crude however) is to log (or alert) on both the SYN and SYN/ACK and using perl to watch the log, adding the inbound to a connection hash table, starting a timer with alarm(). Then when the ACK comes in, remove the SYN from the table and when the alarm() fires, spit out any entries that are still there. But is should be possible with snort preprocessors. Thanks for the ideas though! Jim -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of stephane nasdrovisky Sent: Wednesday, November 17, 2004 2:23 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] tracking failing TCP connection attempts with snort Jim Hendrick wrote:
I am looking for a way to alert (or log) on failing incoming TCP connections.
alert both on tcp rst packets and icmp host (& port) unreachable (TCP-IP Illustrated by W.Richard Stevens is great if you don't want to read ip, tcp & icmp related rfcs).
For example, if an inbound connection attempts to connect to a server, and the server never responds, I'd like something that can alert.
It should never happen, the server will answer with a RST (or icmp port or proto unreachable) packet or the previous hop (router) will generate an icmp host unreachable.
I have been looking at using tagged connections, but I'm not sure how to setup the "alert if a connection is *not* established" logic. I know something like this will tag inbound connections from "host" for 30 seconds: alert tcp any any -> $HTTP_SERVERS 80 (flags: S; \ tag: host, 30, seconds; msg: "incoming http session";) But how can I continue and say: alert {"magic syntax here": tcp $HTTP_SERVERS 80 -> host \ (30 seconds and no SYN/ACK); msg: "failed HTTP connection attempt";)
Could be something like: alert tcp $HTTP_SERVERS 80 -> any any (flags: R; \ ; msg: "outgoing http rst - http server down";) But usually HTTP_SERVERS do not reply to port 80 with a RST packet, they answer the query. ------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tracking failing TCP connection attempts with snort Jim Hendrick (Nov 16)
- Re: tracking failing TCP connection attempts with snort stephane nasdrovisky (Nov 16)
- RE: tracking failing TCP connection attempts with snort Jim Hendrick (Nov 17)
- Re: tracking failing TCP connection attempts with snort stephane nasdrovisky (Nov 16)