Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Can you tag thresholded sessions?

From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Thu, 25 Aug 2011 15:03:55 -0500
I wrote a rule a long, long time ago.  Recently we got some hits, and we 
were curious to see what was going on.

Here's the original rule:
# Rule to catch non-authorized mail servers sending mail
alert tcp !$SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"Unauthorized mail 
server - possible trojan"; flags:S; threshold: type both, track by_src, 
count 10, seconds 60; classtype:misc-activity; sid:1000002; rev:1;)

And here's the modified rule:

# Rule to catch non-authorized mail servers sending mail
alert tcp !$SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"Unauthorized mail 
server - possible trojan"; flags:S; threshold: type both, track by_src, 
count 10, seconds 60; tag:session,15,packets; classtype:misc-activity; 
sid:1000002; rev:2;)

As you can I added tagging to track sessions.  But, we're not getting the 
tracking.  I looked in the README.tag and README.thresholding docs but 
didn't see a mention in either of the other.  Is it not possible to tag 
sessions when thresholding is used in the rule?  Or is it because I'm 
looking for the SYN flag?

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell


------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management 
Up to 160% more powerful than alternatives and 25% more efficient. 
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: