Killing a Specific Session

Problem

You want to be able to close an active connection if specific criteria are met by a rule. For example, you might want to close any Telnet session in which the string /etc/passwd is sent.

Solution

Use the resp keyword.

resp: 

 

Discussion

resp allows you to create a flexible response to end a TCP session on the triggering of an alert. You can take your pick from the responses listed in Table 2-1.

Table 2-1. resp keyword actions

Mechanism name

Action

rst_snd

Send TCP-RST packet to the sending socket

rst_rcv

Send TCP-RST packet to the receiving socket

rst_all

Send a TCP-RST packet to both

icmp_net

Send ICMP-NET-UNREACH to the sender

icmp_host

Send ICMP-HOST-UNREACH to the sender

icmp_port

Send ICMP-PORT-UNREACH to the sender

icmp_all

Send all the previously listed ICMP packets to the sender.

All the actions listed in Table 2-1 can be combined by specifying them in sequence.

For example, to drop all connections from a certain host :

alert tcp 192.168.0.8 any -> any any (resp:rst_all;)

As you can combine the mechanisms, the following would have exactly the same effect:

Alert tcp 192.168.0.8 any -> any any (resp:rst_snd,rst_rcv;)

 

See Also

Snort Users Manual

Rules and Signatures

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index

show all menu





Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167
Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net