Snort mailing list archives

Previous By Date Next
Previous By Thread Next

A Working Logsurfer Example for Snort 2.0

From: Matt Howell <mhowell () cybarworks com>
Date: 23 May 2003 14:16:45 -0700
All...

A few weeks ago, I posted a message asking if anyone had a set of
logsurfer rules that worked with Snort 2.0 that was worth sharing. 
After failing to receive a response from anyone, I am posting the rules
that I came up with in the hopes that it might be helpful for others. 
By no means are these officially endorsed by the Snort project or
logsurfer, but instead its just one example of what someone is actually
using in production.  I am fairly green to logsurger / regex, so there
may be better ways to handle some of these events.  I tried to include
somewhat logical comments, as well.  If you find something that works
better for you, please let me know because I would like to improve on
this over time.

-Matt Howell
mhowell () cybarworks com

LINKS:
surfmailer script:
http://www.obfuscation.org/emf/logsurfer/surfmailer

emf's snort / logsurfer example:
http://www.obfuscation.org/emf/logsurfer/snort.txt

##################################

### Logsurfer Definitions:  Snort 2.0.0
### author:  Matt Howell (mhowell () cybarworks com)
### date:    05/23/03
###
#
## IGNORE STATEMENTS
#
# Ignore "Unreachable" ICMP messages
'ICMP Destination Unreachable' - - - 0 ignore
# Ignore End of Portscan Messages - Preference
'End of portscan' - - - 0 ignore
# Ignore "last message repeated" notifications
'last message repeated' - - - 0 ignore
# Ignore Lotus Domino SMTP specific exploit
'SMTP HELO overflow attempt' - - - 0 ignore
# Ignore requests for robots.txt
'robots.txt' - - - 0 ignore
## ICMP MESSAGES
#
# Capture ICMP messages and store them in a context.
# Send message if threshold is hit (time or messages)
'ICMP .* \[Priority: ([0-9])\]: \{ICMP\} ([0-9.]+) ->.*' - - - 0
        open "ICMP" - 10 60 7200
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"ICMP
Messages\""
## HTTP ATTACKS
#
# Capture WEB attacks / exploits into a context
'WEB-.* \[Priority: ([0-9])\]: \{.*\} ([0-9.]+):.*' - - - 0
        open "WEB" - 8 60 7200
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"WEB
Events\""
## PORTSCAN MESSAGES
#
# Send message on detection of new portscan
'spp_portscan: PORTSCAN DETECTED from (.*) \(.*' - - - 0
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S
\"Portscan DETECT from $2\""
#
# Create context by IP for all portscan status messages
'spp_portscan: portscan status from ([0-9.]+):.*' - - - 0
        open "STATUS$2" - 10 60 7200
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S
\"Portscan   Status from $2\""
#
# Send message on termination of portscan
# ** Disable IGNORE statement before uncommenting this rule
#'spp_portscan: End of portscan from ([0-9.]+):.*' - - - 0
#       pipe "/usr/local/bin/surfmailer -r user\@domain.com -S
\"Portscan END from $2\""
#
# Generic Catch-all portscan message
# ** More for debug purposes...  The rules above should catch all other
portscan messages
'spp_portscan:.*' - - - 0
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S
\"Portscan GENERIC Message\""
#
# Context for all messages of type "SCAN"
'SCAN .* \[Priority: ([0-9])\]: \{.*\} ([0-9.]+):.*' - - - 0
        open "SCAN$3" - 5 60 7200
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"SCAN
from $3\""
#
# Send message on any Portscan2 traffic (when enabled)
'portscan2.*' - - - 0
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S
\"Portscan2 Event\""
#
# Report any traffic of type ATTACK RESPONSES
'ATTACK RESPONSES.*' - - - 0
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S
\"Warning: ATTACK RESPONSE\""
#
# A Catch all rule for any events that come through marked Priority 1
'\[Priority: (1)\].*' - - - 0
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S
\"Priority 1 Event\""



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: