Snort mailing list archives

Re: Traffic anomaly detection

From: James Hoagland <jim () SiliconDefense com>
Date: Wed, 12 Feb 2003 08:41:36 -0800

At 10:12 AM +0100 2/12/03, Joerg Weber wrote:

Ladies and Gentlemen,

we are currently using snort with quite some success (and fun, I might
add). Now, I'm looking at SPADE and have no trouble finding traffic
using unused IP address or dead ports, etc.
What I'm trying to implement is the detection of 'unusual' traffic,
generated by an unknown worm, a warez server, etc.
I assume this is possible with SPADE, could someone confirm this?

Spade can detect scanning worms (known or unknown) and the initialaccesses to a warez server (assuming it is not located on regularlyused server).


These are the types of detection that Spade can do at present:

+ closed-dport:  This is the traditional Spade detector type.  This detector
type is looking for packets that are going to closed ports, or at least
ports that are infrequently used.  This can be used to find portscans
because legitimate traffic tends to go to open ports.

+ dead-dest:  This detector type looks for packets that are going to an IP
address that is not in use.  This can be used to find portscans because
legitimate traffic tends to go to live IP addresses.

+ odd-dport:  This detector type looks for sources that are using unusual
destination ports.  This might indicate a compromised host or host misuse
because destination ports roughly correspond to applications and hosts tend
to be habitual in application use.

+ odd-port-dest:  This detector type looks for sources that make a
connection to an unusual destination relative to what is normal for the
destination port.  Since this is only applied to cases where the destination
is fairly predictable (e.g., as is often the case for port 110 (POP3) and
port 53 (DNS) on client hosts), this might indicate a compromised host or
host misuse.

+ odd-typecode:  The detector type looks for packets with unusual ICMP type
and code values.  This may be interesting to know about even when it is not
suspicious.

The strength of the first two are finding portscanning (includingthose done by worms such as Sapphire) and other access to unusualinternal destinations (we've spotted trojan access with it before).The second two are mostly focused on finding indications ofcompromise or misuse on internal hosts. The last one is pretty quietmost of the time so you might forget about it, but it reliably findsunusual ICMP type/codes going across you network.

To find the warez server, you would enable a closed-dport detectorwithout response waiting or with reverse waiting (in theconfiguration file included in the distribution, response waiting isenabled so you will only see reports of unaccepted connections). Ifyou want to convert an existing detector, change the "wait" option to"0". (With recent Spade versions, the message will change from"Closed dest port used" to "Rare dest port used".) To add a newdetector to do this, add something like:

preprocessor spade-detect: type=closed-dport tcpflags=synonlyrewaitrpt wait=3

The "rewaitrpt" was introduced in Spade 030117.1, and withclosed-dport and wait not zero will cause it to report on packetsgoing to rarely used but open ports. Correspondingly, the messagefrom this configuration is "Rare but open dest port

used".

A side effect of disabling response waiting or using it in thereverse direction though is that you will tend to see passive FTPtraffic reported on (since these involve connections to unusualdestination ports), but you may be able to suppress reporting on this.

In addition, Spade is designed to have additional detection typesadded without to much trouble, so if you have any ideas...

If so, could someone share a config file and maybe some alert entry so I
can parse my logs/db for similar entries?


I hope the above helped.

Best regards,

  Jim
--
|*     Jim Hoagland, Associate Researcher, Silicon Defense     *|
|*    --- Silicon Defense: The Cyberwar Defense Company ---    *|
|*   jim () SiliconDefense com, http://www.silicondefense.com/    *|
|*  Voice: (530) 756-7317                 Fax: (530) 756-7297  *|


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Traffic anomaly detection Joerg Weber (Feb 12)
- Re: Traffic anomaly detection Erek Adams (Feb 12)
  - Re: Traffic anomaly detection Frank Knobbe (Feb 12)
- Re: Traffic anomaly detection James Hoagland (Feb 12)
- <Possible follow-ups>
- RE: Traffic anomaly detection Bob McDowell (Feb 12)
- RE: Traffic anomaly detection Williams Jon (Feb 13)
  - RE: Traffic anomaly detection Erek Adams (Feb 13)