Execute script when a specific TCP connection has been established
-
I want a script to run when a specific TCP connection (Client –-> pfSense ---> Suspicious Internet Host) has been established. Does anyone have an idea how this can be solved?
;) Blocking is not the solution I'm asking for.
tcptrack, tcpdump, iptables, suggestions?
TNX
S0NIC -
How hacky can it be?
-
Medium to high should be ok.
-
Snort, no blocking and a custom alert ?
The following alerts me when there is an inbound or outbound SSH connection to or from my DMZ :-
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"SFTP/SSH INBOUND";
flow:established,to_server;content:"SSH-";sid:1000501;rev:1;classtype:not-suspicious)alert tcp $HOME_NET any -> $EXTERNAL_NET $SSH_PORTS (msg:"SFTP/SSH OUTBOUND";
flow:established,to_server;content:"SSH-";sid:1000502;rev:1;classtype:not-suspicious)It won't run a script, but what do you want the script to do ?
-
really hacky:
https://forum.pfsense.org/index.php?topic=65092.msg354840#msg354840You should be able to change the tcpdump arguments for it to look for the frames you're interested in.
