Snort mailing list archives
How's best to alert on Web connections that *don't* contain particular content?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 26 Feb 2003 09:46:32 +1300
I'm wanting to get snort to alert whenever it sees our DMZ hosts connect outbound on services they're not meant to be using. Sounds like a good idea - should only trigger once a break in has occured. Anyway, one problem is our DMZ anti-virus SMTP servers with all their auto-updates. We have DMZes throughout the world, and so far I have discovered that our Trend InterScan VirusWall servers have connected to no less than 40 different networks (not hosts!) to get Trend pattern file updates from. Gah! There's no way I can put an exclude list in to tell snort to ignore port 80 connections to that many sites - and of course they could change from week to week. Instead I decided to look at the content, and to alert only if a port 80 connection looks like it's a non-Trend request. i.e. alert tcp $DMZES_NETS any -> any 80 (msg:"DMZ host communicating to an \ unsupported service";flow:to_server,established; content:"Host|3a|"; \ regex:!"Host|3a|*trend";nocase;tag: session, 10,packets;\ classtype:successful-admin;sid:1000001;rev:2;\ reference: url,/secure/cvename.php?name=1000001;) So what it's doing is looking for a "Host:" header - which implies it's a Web request, and then alerts IFF it doesn't contain "Host:*trend" - as all the Trend update servers contain that string in their DNS hostnames. It seems to work, but I'm still getting the odd hit - the packet caught does contain "Host:*trend" - so I don't know why it's triggering. Is the regex code pretty solid? Any ideas? Also, is there a way of alerting on non-HTTP traffic on port 80? The above rule would catch the likes of an outgoing CodeRed - but it wouldn't trigger on a successful hacker going back to his SSH server running on port 80. Can you do something like "flow:to_server,established;nouricontent"? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Kenneth G. Arnold (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Phil Wood (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Frank Knobbe (Feb 26)
- Re: How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Brian (Feb 26)
- Re: How's best to alert on Web connections that *don't* contain particular content? Martin Roesch (Feb 26)
- <Possible follow-ups>
- RE: How's best to alert on Web connections that *don't* contain particular content? Schmehl, Paul L (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Kenneth G. Arnold (Feb 25)