Snort mailing list archives
A Working Logsurfer Example for Snort 2.0
From: Matt Howell <mhowell () cybarworks com>
Date: 23 May 2003 14:16:45 -0700
All... A few weeks ago, I posted a message asking if anyone had a set of logsurfer rules that worked with Snort 2.0 that was worth sharing. After failing to receive a response from anyone, I am posting the rules that I came up with in the hopes that it might be helpful for others. By no means are these officially endorsed by the Snort project or logsurfer, but instead its just one example of what someone is actually using in production. I am fairly green to logsurger / regex, so there may be better ways to handle some of these events. I tried to include somewhat logical comments, as well. If you find something that works better for you, please let me know because I would like to improve on this over time. -Matt Howell mhowell () cybarworks com LINKS: surfmailer script: http://www.obfuscation.org/emf/logsurfer/surfmailer emf's snort / logsurfer example: http://www.obfuscation.org/emf/logsurfer/snort.txt ################################## ### Logsurfer Definitions: Snort 2.0.0 ### author: Matt Howell (mhowell () cybarworks com) ### date: 05/23/03 ### # ## IGNORE STATEMENTS # # Ignore "Unreachable" ICMP messages 'ICMP Destination Unreachable' - - - 0 ignore # Ignore End of Portscan Messages - Preference 'End of portscan' - - - 0 ignore # Ignore "last message repeated" notifications 'last message repeated' - - - 0 ignore # Ignore Lotus Domino SMTP specific exploit 'SMTP HELO overflow attempt' - - - 0 ignore # Ignore requests for robots.txt 'robots.txt' - - - 0 ignore ## ICMP MESSAGES # # Capture ICMP messages and store them in a context. # Send message if threshold is hit (time or messages) 'ICMP .* \[Priority: ([0-9])\]: \{ICMP\} ([0-9.]+) ->.*' - - - 0 open "ICMP" - 10 60 7200 pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"ICMP Messages\"" ## HTTP ATTACKS # # Capture WEB attacks / exploits into a context 'WEB-.* \[Priority: ([0-9])\]: \{.*\} ([0-9.]+):.*' - - - 0 open "WEB" - 8 60 7200 pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"WEB Events\"" ## PORTSCAN MESSAGES # # Send message on detection of new portscan 'spp_portscan: PORTSCAN DETECTED from (.*) \(.*' - - - 0 pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"Portscan DETECT from $2\"" # # Create context by IP for all portscan status messages 'spp_portscan: portscan status from ([0-9.]+):.*' - - - 0 open "STATUS$2" - 10 60 7200 pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"Portscan Status from $2\"" # # Send message on termination of portscan # ** Disable IGNORE statement before uncommenting this rule #'spp_portscan: End of portscan from ([0-9.]+):.*' - - - 0 # pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"Portscan END from $2\"" # # Generic Catch-all portscan message # ** More for debug purposes... The rules above should catch all other portscan messages 'spp_portscan:.*' - - - 0 pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"Portscan GENERIC Message\"" # # Context for all messages of type "SCAN" 'SCAN .* \[Priority: ([0-9])\]: \{.*\} ([0-9.]+):.*' - - - 0 open "SCAN$3" - 5 60 7200 pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"SCAN from $3\"" # # Send message on any Portscan2 traffic (when enabled) 'portscan2.*' - - - 0 pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"Portscan2 Event\"" # # Report any traffic of type ATTACK RESPONSES 'ATTACK RESPONSES.*' - - - 0 pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"Warning: ATTACK RESPONSE\"" # # A Catch all rule for any events that come through marked Priority 1 '\[Priority: (1)\].*' - - - 0 pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"Priority 1 Event\"" ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A Working Logsurfer Example for Snort 2.0 Matt Howell (May 23)
- Re: A Working Logsurfer Example for Snort 2.0 Edin Dizdarevic (May 23)