Snort mailing list archives
Re: Traffic anomaly detection
From: James Hoagland <jim () SiliconDefense com>
Date: Wed, 12 Feb 2003 08:41:36 -0800
At 10:12 AM +0100 2/12/03, Joerg Weber wrote:
Ladies and Gentlemen, we are currently using snort with quite some success (and fun, I might add). Now, I'm looking at SPADE and have no trouble finding traffic using unused IP address or dead ports, etc. What I'm trying to implement is the detection of 'unusual' traffic, generated by an unknown worm, a warez server, etc. I assume this is possible with SPADE, could someone confirm this?
Spade can detect scanning worms (known or unknown) and the initial accesses to a warez server (assuming it is not located on regularly used server).
These are the types of detection that Spade can do at present: + closed-dport: This is the traditional Spade detector type. This detector type is looking for packets that are going to closed ports, or at least ports that are infrequently used. This can be used to find portscans because legitimate traffic tends to go to open ports. + dead-dest: This detector type looks for packets that are going to an IP address that is not in use. This can be used to find portscans because legitimate traffic tends to go to live IP addresses. + odd-dport: This detector type looks for sources that are using unusual destination ports. This might indicate a compromised host or host misuse because destination ports roughly correspond to applications and hosts tend to be habitual in application use. + odd-port-dest: This detector type looks for sources that make a connection to an unusual destination relative to what is normal for the destination port. Since this is only applied to cases where the destination is fairly predictable (e.g., as is often the case for port 110 (POP3) and port 53 (DNS) on client hosts), this might indicate a compromised host or host misuse. + odd-typecode: The detector type looks for packets with unusual ICMP type and code values. This may be interesting to know about even when it is not suspicious.The strength of the first two are finding portscanning (including those done by worms such as Sapphire) and other access to unusual internal destinations (we've spotted trojan access with it before). The second two are mostly focused on finding indications of compromise or misuse on internal hosts. The last one is pretty quiet most of the time so you might forget about it, but it reliably finds unusual ICMP type/codes going across you network.
To find the warez server, you would enable a closed-dport detector without response waiting or with reverse waiting (in the configuration file included in the distribution, response waiting is enabled so you will only see reports of unaccepted connections). If you want to convert an existing detector, change the "wait" option to "0". (With recent Spade versions, the message will change from "Closed dest port used" to "Rare dest port used".) To add a new detector to do this, add something like:
preprocessor spade-detect: type=closed-dport tcpflags=synonly rewaitrpt wait=3
The "rewaitrpt" was introduced in Spade 030117.1, and with closed-dport and wait not zero will cause it to report on packets going to rarely used but open ports. Correspondingly, the message from this configuration is "Rare but open dest port
used".A side effect of disabling response waiting or using it in the reverse direction though is that you will tend to see passive FTP traffic reported on (since these involve connections to unusual destination ports), but you may be able to suppress reporting on this.
In addition, Spade is designed to have additional detection types added without to much trouble, so if you have any ideas...
If so, could someone share a config file and maybe some alert entry so I can parse my logs/db for similar entries?
I hope the above helped. Best regards, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: The Cyberwar Defense Company --- *| |* jim () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Traffic anomaly detection Joerg Weber (Feb 12)
- Re: Traffic anomaly detection Erek Adams (Feb 12)
- Re: Traffic anomaly detection Frank Knobbe (Feb 12)
- Re: Traffic anomaly detection James Hoagland (Feb 12)
- <Possible follow-ups>
- RE: Traffic anomaly detection Bob McDowell (Feb 12)
- RE: Traffic anomaly detection Williams Jon (Feb 13)
- RE: Traffic anomaly detection Erek Adams (Feb 13)
- Re: Traffic anomaly detection Erek Adams (Feb 12)