Killing a Specific Session

Table of contents:

Problem

You want to be able to close an active connection if specific criteria are met by a rule. For example, you might want to close any Telnet session in which the string /etc/passwd is sent.

Solution

Use the resp keyword.

resp: 

 

Discussion

resp allows you to create a flexible response to end a TCP session on the triggering of an alert. You can take your pick from the responses listed in Table 2-1.

Table 2-1. resp keyword actions

Mechanism name

Action

rst_snd

Send TCP-RST packet to the sending socket

rst_rcv

Send TCP-RST packet to the receiving socket

rst_all

Send a TCP-RST packet to both

icmp_net

Send ICMP-NET-UNREACH to the sender

icmp_host

Send ICMP-HOST-UNREACH to the sender

icmp_port

Send ICMP-PORT-UNREACH to the sender

icmp_all

Send all the previously listed ICMP packets to the sender.

All the actions listed in Table 2-1 can be combined by specifying them in sequence.

For example, to drop all connections from a certain host :

alert tcp 192.168.0.8 any -> any any (resp:rst_all;)

As you can combine the mechanisms, the following would have exactly the same effect:

Alert tcp 192.168.0.8 any -> any any (resp:rst_snd,rst_rcv;)

 

See Also

Snort Users Manual

Rules and Signatures

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net