Educause Security Discussion mailing list archives

Local Security Policy Standards

From: John Culkin <culkinj3 () SCRANTON EDU>
Date: Tue, 2 Dec 2008 18:37:05 -0500

Hello:

Does anyone have some scripts which apply the Local Security Policysettings from the NSA or other respectable groups?


Thanks,

-- John C.

Russell Fulton wrote:

I would run tcpdump on the sensor with an appropriate filter to makesure the sensor is actually seeing the traffic you think it shouldbe. I've been had by that one a couple of times -- spanning not setup properly on routers etc.
R

On 3/12/2008, at 5:47 AM, Chris Green wrote:
Write the rules out using only your CIDR notation and you get:
(assuming you have SSH_PORTS defined)
alert tcp !137.165.0.0/16 any -> 137.165.224.0/24 22 (flow:stateless;flags:S,12; msg: “test”; sid: 1234125);
Where are you testing from? On campus?
From: The EDUCAUSE Security Constituent Group Listserv[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Peter Charbonneau
Sent: Tuesday, December 02, 2008 10:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] writing SNORT rules

Good morning
I have written 3 "quick and dirty" SNORT rules and am trying tofollow the write/test/write/test/write/test/write/test
Unfortunately even the first test isn't working. I never see thealert message for these rules in my alert log. Is there some otherdirective in the snort.conf file that could be precluding thesestateless "hits" from being processed in some way?
If you have any responses, we should probably take this off-line tokeep the list from being clogged, unless, of course, this is a"class" problem for all first time rule writers. I think it'ssomething stupid, but I just can't see it.
These are the simplest rules I could think of with the ongoingprocess of modifying them for my final needs. My ultimate goal is tobe able to grep the alert file for this LOCAL message and grab thetimestamps; I want come up with a way to sanity check the duration ofestablished ssh sessions to compare against host machine log files.
Here are the rules:

[root@netsniff emerging]# cat /usr/local/etc/rules/local.rules
# $Id: local.rules,v 1.13 2005/02/10 01:11:04 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
#
alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS(flow:stateless; flags:S,12; msg: "LOCAL Connection attempt -- NetSysasset on port 22"; sid: 2008001;)alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS(flow:stateless; flags:F,12; msg: "LOCAL Connection termination --NetSys asset on port 22"; sid: 2008002;)alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS(flow:stateless; flags:R,12; msg: "LOCAL Connection reset -- NetSysasset for port 22"; sid: 2008003;)
[root@netsniff emerging]#

The variables EXTERNAL_NET, NETSYS_NET, SSH_PORTS are all defined:

var HOME_NET 137.165.0.0/16
var NETSYS_NET 137.165.224.0/24
var EXTERNAL_NET !$HOME_NET


RULE_PATH is defined as var RULE_PATH /usr/local/etc/rules
Here is the portion of the snort.conf file that "includes" thelocal.rules file:
#
# Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts aretriggered.
#=========================================

include $RULE_PATH/local.rules
# include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
I have stopped and restarted snort with the same command line Ialways use:
snort -A full -i eth3 -N -K none -c /usr/local/etc/snort.conf -D

PeteC


Peter Charbonneau
Sr. Network and Systems Administrator
Williams College
(413) 597-3408 (office)
(413) 822-2922 (cell)


--
John J. Culkin                  Systems Administrator
John.Culkin () Scranton edu     The University of Scranton
Phone: (570) 941-7665

Current thread:

Local Security Policy Standards John Culkin (Dec 02)
- <Possible follow-ups>
- Re: Local Security Policy Standards Adam Carlson (Dec 02)