Thanks for your patience. Ive already posted this to the snort list serv and no response. I have an issue with some LAN devices, (users), who feel the need to monitor the entire galaxy and draw pretty maps with connecting lines, (war games). Originally this was done with constant ICMP polling so I filtered that at the border. Now the technique being used is to open (syn) an outbound connection to a web server, port 80, then close the connection. As far as I can tell, no data is exchanged, zero length packets?. Personally, I consider this sort of inbound and outbound traffic (ICMP polling, NMAP scans etc), as reconnaissance and therefore a threat. I?m guessing here that others might consider this a threat as well and it?s somewhat my responsibility to not allow it out on the Internet if it?s not necessary to the mission of this place. The sequence goes as follows: Local SYN sent out SYN, ACK received ACK sent FIN,ACK sent FIN, ACK received ACK sent. >From open to close, connection the time is something around 100 ms. as measured with wireshark. Question is, can I detect these sort of ?fast? open/close connection that seem not to exchange any data other than open and tear down connection, with an iptables/ebtables rule or connection tracking or somthing? Then perhaps fire off an iptables command to block the connection with snortsam or something like that? Or: Can this be done with tcpdump and some scripting or something? Any pointers and or advice would be greatly appreciated. Thanks, --marcoz - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
