Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort rules to detect user and software trespass

From: Hamid Ghanbari <hamid.gh () gmail com>
Date: Fri, 15 Feb 2013 13:40:19 -0500
I am trying to find some snort rules to explicitly log the connection state. I would like to log the below packet 
headers.  

                ## S0           Connection attempt seen, no reply.
                ## S1           Connection established, not terminated.  
                ## SF           Normal establishment and termination. Note that this is the same symbol as for state 
S1. You can tell the two              apart because for S1 there will not be any byte counts in the summary, while for 
SF there will be.
                ## REJ          Connection attempt rejected.
                ## S2           Connection established and close attempt by originator seen (but no reply from 
responder).
                ## S3           Connection established and close attempt by responder seen (but no reply from 
originator).
                ## RSTO         Connection established, originator aborted (sent a RST).
                ## RSTR         Established, responder aborted.
                ## RSTOS0       Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.
                ## RSTRH        Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) 
originator.
                ## SH           Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder 
(hence the connection was "half" open).
                ## SHR          Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.
                ## OTH          No SYN seen, just midstream traffic (a "partial connection" that was not later closed).

I am looking for a snort rules to get the log connection state particularly.  I would also like to have some snort 
rules to detect unauthorized log in, privileged abuse and top of that software trespass such as virus, worm and trojan 
horse.  

I have Snort 2.9.4 on a Fedora 17 x64 and I am using Barnyard 2.1.9 to connect the snort output to a database and using 
base 1.4.5 to analyse the data.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: