RE: Who doesn't care about virus rules, and why?

["Williams Jon" <WilliamsJonathan () JohnDeere com>]

<grin> When I had to do this, we didn't have the snort version with thresholding options in it, so I did it the 
old-fashioned way.  I wrote a perl script that runs from cron every 5 minutes.  It keeps track of the number of lines 
seen so far and ignores everything but new entries in the tcpdump file.  It does the thresholding via in-memory hashes, 
and then generates an SMTP message if a source address crosses the threshold.  Since we've got multiple instances of 
snort running and one dedicated to monitoring this type of traffic, when I've got a new thing I'm looking for (i.e. 
CyberKit pings instead of TCP 135 connects), I add the rule to that instance and my X dests/Y time stuff just includes 
it.

I plan on playing with thresholding in the future, but so far, the job has kept me from playing :-(

Jon

-----Original Message-----
From: Snortty [mailto:cwcwcwg () yahoo com]
Sent: Thursday, November 06, 2003 10:38 AM
To: Iain Hallam; Williams Jon
Cc: snort-sigs () lists sourceforge net; snort-users
Subject: Re: [Snort-users] Who doesn't care about virus rules, and why?


Yes, William, 

Would you mind posting your rules to illustrate the
point please?

One objective for our snort IDS to be installed on our
network backborne is to be faster in respond to the
worm incidents like those ones occurred recently and
it would help great deal if your way really works. 

Thanks in advance. 
S.W. 



--- Iain Hallam <ccidsh () swarfega plus com> wrote:
> Williams Jon wrote:
> > What we've ended up doing is monitoring the
> default route path for
> > our network and watching for either TCP SYNs that
> are going places
> > they shouldn't or TCP RST packets generated either
> by the firewall or
> > the odd host that is actually hit.  With
> thresholding, we can
> > generate fairly useful alerts in cases where, in
> Blaster's case, one
> > source address sends out TCP port 135 SYN packets
> to more than X
> > number of hosts in Y period of time.  This is so
> reliable, in nearly
> > every case we've used it on, that we are able to
> auto-generate email
> > alerts that go to someone else to actually _deal_
> with the problem
> > rather than making the IDS staff track down and
> call each victim
> > independantly.
>
> We're doing something similar with ICMP on our
> network, but how can you 
> tell the difference between large numbers of hosts
> and large numbers of 
> packets to a single host? Would you mind posting one
> of your rules to 
> illustrate the point?
>
> Thanks,
>
> Iain.
-------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback
> Program.
> Does SourceForge.net help you be more productive? 
> Does it
> help you create better code?   SHARE THE LOVE, and
> help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users