Snort mailing list archives
snort rules to detect user and software trespass
From: Hamid Ghanbari <hamid.gh () gmail com>
Date: Fri, 15 Feb 2013 13:40:19 -0500
I am trying to find some snort rules to explicitly log the connection state. I would like to log the below packet headers. ## S0 Connection attempt seen, no reply. ## S1 Connection established, not terminated. ## SF Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be. ## REJ Connection attempt rejected. ## S2 Connection established and close attempt by originator seen (but no reply from responder). ## S3 Connection established and close attempt by responder seen (but no reply from originator). ## RSTO Connection established, originator aborted (sent a RST). ## RSTR Established, responder aborted. ## RSTOS0 Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder. ## RSTRH Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator. ## SH Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open). ## SHR Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator. ## OTH No SYN seen, just midstream traffic (a "partial connection" that was not later closed). I am looking for a snort rules to get the log connection state particularly. I would also like to have some snort rules to detect unauthorized log in, privileged abuse and top of that software trespass such as virus, worm and trojan horse. I have Snort 2.9.4 on a Fedora 17 x64 and I am using Barnyard 2.1.9 to connect the snort output to a database and using base 1.4.5 to analyse the data. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort rules to detect user and software trespass Hamid Ghanbari (Feb 20)