Snort mailing list archives

Re: How's best to alert on Web connections that don't contain particular content?

From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 26 Feb 2003 21:26:37 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jason,

The regex option doesn't work, it never has. For basic wildcarding,you can use the distance/within keywords.

Do you just want to look for outbound SYN packets from your DMZ? Seemslike that might do a nice job of picking up a system that getscompromised. Additionally, if you only have a few server ports you canjust write a set of pass rules to ignore traffic on the ports that youknow will be used.


You can also do something like

alert tcp $DMZ ANY -> $EXTERNAL_NET 80 (\
    flow: to_server, established; \
    content: "Host|3a|"; \
    content: !"Host|3a|";  distance: 1; \
    content: !"trend"; distance: 1; nocase; \
    tag: session, 10, packets; \
    blah blah blah...

That might work for you...

     -Marty

On Tuesday, February 25, 2003, at 03:46  PM, Jason Haar wrote:

I'm wanting to get snort to alert whenever it sees our DMZ hostsconnectoutbound on services they're not meant to be using. Sounds like a goodidea
- should only trigger once a break in has occured.

Anyway, one problem is our DMZ anti-virus SMTP servers with all their
auto-updates. We have DMZes throughout the world, and so far I have
discovered that our Trend InterScan VirusWall servers have connectedto no
less than 40 different networks (not hosts!) to get Trend pattern file
updates from. Gah! There's no way I can put an exclude list in to tellsnortto ignore port 80 connections to that many sites - and of course theycould
change from week to week.
Instead I decided to look at the content, and to alert only if a port80
connection looks like it's a non-Trend request.

i.e.
alert tcp $DMZES_NETS any -> any 80 (msg:"DMZ host communicating to an\
unsupported service";flow:to_server,established; content:"Host|3a|"; \
regex:!"Host|3a|*trend";nocase;tag: session, 10,packets;\
classtype:successful-admin;sid:1000001;rev:2;\
reference: url,/secure/cvename.php?name=1000001;)
So what it's doing is looking for a "Host:" header - which impliesit's aWeb request, and then alerts IFF it doesn't contain "Host:*trend" - asall
the Trend update servers contain that string in their DNS hostnames.
It seems to work, but I'm still getting the odd hit - the packetcaught doescontain "Host:*trend" - so I don't know why it's triggering. Is theregex
code pretty solid?

Any ideas?
Also, is there a way of alerting on non-HTTP traffic on port 80? Theaboverule would catch the likes of an outgoing CodeRed - but it wouldn'ttriggeron a successful hacker going back to his SSH server running on port80. Can
you do something like "flow:to_server,established;nouricontent"?

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

- --Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616

Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+XXdiqj0FAQQ3KOARAml9AJ0XegLzclsL5gQ65pSCN+uUnv/DDACfZcfY
ZMO7WhLWNv61O93LXdbYOzE=
=TYjN
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Kenneth G. Arnold (Feb 25)
  - Re: How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
    - Re: How's best to alert on Web connections that *don't* contain particular content? Phil Wood (Feb 25)
    - Re: How's best to alert on Web connections that *don't* contain particular content? Frank Knobbe (Feb 26)
- Re: How's best to alert on Web connections that *don't* contain particular content? Brian (Feb 26)
- Re: How's best to alert on Web connections that *don't* contain particular content? Martin Roesch (Feb 26)
  - Re: How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 27)
- <Possible follow-ups>
- RE: How's best to alert on Web connections that *don't* contain particular content? Schmehl, Paul L (Feb 25)
  - Re: How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)

Snort mailing list archives

Re: How's best to alert on Web connections that *don't* contain particular content?

Current thread:

Re: How's best to alert on Web connections that don't contain particular content?