Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
925
Views
0
Helpful
2
Replies

TCP connection status

khanj
Level 1
Level 1

‎12-06-2004 04:46 AM - edited ‎03-09-2019 09:40 AM

Hi,

I need to configure custom signature in IDS. My requirement is to configure an alert when any TCP session establish or disconnect between two servers. Need your advice.

Regards

Labels:
0 Helpful
2 Replies 2

Krystian9
Level 1
Level 1

‎12-08-2004 03:02 AM

For session establish make a signature which looks for SYN flags in the TCP header.

For session disconnect make a signature which looks for FIN flags in the TCP header.

0 Helpful

a.arndt
Level 3
Level 3
In response to Krystian9

‎12-09-2004 08:25 AM

May I make a suggestion?

I wouldn't necessarily use SYN to determine session establishment. Rather, I would use the SYN and ACK combined.

For session disconnect, I too would use FIN as an indication. Unfortunately, this won't catch interrupted sessions due to application crashes. As a result, I'd look for RST too.

Here' some examples for you to consider (assume the signatures are configured for activity involving port 1434 as the service port):

svr1.1024 -> svr2.1434: SYN

svr3.1025 -> svr2.1434: SYN

cli1.1026 -> svr2.1434: SYN

cli2.1027 -> svr1.1434: SYN

svr2.1434 -> svr1.1024: SYN,ACK

svr2.1434 -> svr3.1025: SYN,ACK

svr2.1434 -> cli1.1026: SYN,ACK

svr1.1024 -> svr2.1434: PSH,ACK

svr3.1025 -> svr2.1434: ACK

cli1.1026 -> svr2.1434: ACK

svr2.1434 -> svr1.1024: ACK

svr1.1024 -> svr2.1434: FIN,ACK

svr2.1434 -> svr1.1024: FIN,ACK

svr3.1025 -> svr2.1434: RST,ACK

svr2.1434 -> svr3.1025: RST,ACK

Given the above traffic example, only looking for SYN to determine session establishment would cause three alarms for svr2 and one for svr1. Looking for SYN,ACK would only produce three alarms for svr2. The key difference is that you know that svr2 actually acknowledged the requests, and can safely assume connections are established which each system that it answered with a SYN,ACK. By looking at just SYN, you risk assuming that svr1 has a connection with cli2, even though svr1 never acknowledged the connection request.

If you only used FIN for session disconnect, you'll miss the abrupt disconnect between svr3 and svr2. If you want to see any session disconnections, you'll need to track RST too.

If you only want the traffic related to svr1 and svr2, you'd have to configure the alarm to look for these two as part of the conditions to be met. This minor tweak would make the alarms ignore everything from svr3, cli1 and cli2. If it is a very specific connection between two servers you want to monitor (which I believe is implied in the original post), this further fine-tuning will significantly reduce false positives for you.

I hope this helps,

Alex Arndt

0 Helpful
Customers Also Viewed These Support Documents