Search code examples
tcpsnortdenial-of-serviceintrusion-detection

Snort - Trying to understand how this snort rule works


I have an assignment that is requiring me to put the following rule into Snort.

drop tcp any any -> 192.168.1.0/24 any (msg:"TCP DoS"; flow: established, to_server; flags:A; threshold: type threshold, track by_src, count 10, seconds 10;)

The rule is supposed to stop HC from doing a DoS on on SVR. I am under the impression that this rule will stop traffic heading to the ..1.0/24 sub-net stoping the 'SYN' replies that are heading to the ..1.0/24 sub-net and this will allow the server to continue opperating

The way that I see the rule, it would not work. It would block the traffic heading to the wrong location. The server is on the ..2.0/24 and ..3.0/24 nets and the traffic should be blocked from heading that direction.

My network is set up like the following:

System / LAN Segment / IP Addresses

Administrative Client (AC) / IT / 192.168.100.3/24

User Client (UC) / Corporate / 192.168.101.25/24

Hacker Client (HC) / Rogue / 192.168.13.37

pfSense Router/Firewall (3 NICS) / fwNet / 192.168.1.2

                           IT                     192.168.100.1
                           Corporate              192.168.101.1

Ubuntu Router (3 NICS) / fwNet / 192.168.1.1

                           idsNet                 192.168.2.1
                           Rogue                  192.168.13.1

Snort IDS/IPS (2 NICS) (IDS) idsNet 192.168.2.2

                           sNet                   192.168.3.1

Server (SRV) / sNet / 192.168.3.2

It looks ugly in the form above but I am unable to fix it now. I have tried and there is no snipping tool on this system and this is the best I can do for now.

Basically, who is correct?

Thanks in advance for the help. This is informational. The assignment is turned in and is being graded. I need to understand how this works.

Thanks again.


Solution

  • This rule is going to drop every tcp packet that is destined for any IP within the 192.168.1.0/24 range where the connection is established and the Ack flag is set and the host in the ..1.0/24 range is considered the server.
    It is only going to generate an event if the rule triggers 10 times in 10 seconds, this doesn't mean that it won't drop the traffic, threshold only limits the amount of events you get, so it will drop all packets and only generate an event if it matches 10 times in 10 seconds. If it's intended to prevent a DOS, you would want to use the rate_filter keyword instead, otherwise it just drops everything, preventing DOS, yes, but also preventing anyone from accessing the server at all.

    In tcp all packets from client to server after the 3whs should have the Ack flag set so this is going to drop every single packet going to the server after the 3whs. (I believe "flags:A" was used in snort before the flow: established functionality was added, so these are doing pretty much the exact same thing and it's an extra unnecessary check)

    If your server is not in the ..1.0/24 range, then this rule will not do anything because it's a uni-directional rule. It would be impossible to have a packet going to 192.168.1.0/24 that is considered flow to server in that case. Since you said your servers are in the ..2.0/24 and ..3.0/24 range, this rule would not do anything at all.

    Examples:

    Client: 192.168.1.1
    Server: 192.168.3.2
    

    In this scenario, the rule will never match because the server does not fall within the 192.168.1.0/24 range.

    Reversing the above example:

    Client: 192.168.3.2
    Server: 192.168.1.1
    

    After the 3 way handshake, any packets in the session that are from 192.168.3.2 to 192.168.1.1 will be dropped. An event will be generated if 10 packets are sent within 10 seconds from client to server.