Snort mailing list archives
Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..
From: Simon Smith <greybrimstone2004 () yahoo com>
Date: Wed, 31 Dec 2003 23:26:18 -0800 (PST)
Greetings, (I'm new to this list, so if this is old news just tell me to shut up.) I've actually found a product called anvil that seems to work very well with existing IDS solutions. Its sort of an IDS harness that uses your existing IDS engines such as snort, realsecure, etc..and enhances their capabilities. As for this pain in the ass Cyberkit alert, you can easily configure ALL of your sensors from a menu called configure priorities. It allows you to change the criticality of the alerts or to totally disable a rule.. The other thing about this product is that it is DAMN FAST. This morning when I got into the office I had 350697 alerts for the ms sql propogation attempt (and it only took 1 second to process the alerts for display). Then it took me all of 3 minutes to validate that the the attacks didn't affect my networks and clear them from my database. One of the features that I really like is that it supports segmented administration. For example, the network that I am responsible for has 6 seperate subnets. There are two administrators that work on my team, and each of them is responsible for 3 subnets. Anvil allowed me to create one isolated account for each administrator so that they could only see IDS and forensic information for their network, yet I can see the full view for both networks if I need to from my console. (the managment console is a web based system so thats kinda cool too) The guy that I talked to about getting my demo cd (yes I am running the demo) was mtohvisky () secnetops com. When I last talked to him he said that they were doing some sort of a try it for free and if you like it like it, buy it. (the trial period for me was 15 days which was a bit short, but I think I am going to buy it.) Anyway, I thought I'd share my feelings on this product. Its one of the first products that I've ever seen that solves MANY of the inherent issues and can actually identify real threats vs bogus threats VERY quickly and VERY accuratley. Hope some of you find this useful. ;) Regards, Jim Shaw ----- Original Message ----- From: "Jeff Kell" <jeff-kell () utc edu> To: "Brice B" <nesta () iceburg net> Cc: <chris.northrop () po state ct us>; <snort-users () lists sourceforge net> Sent: Wednesday, December 31, 2003 8:38 PM Subject: Re: [Snort-users] SUMMARY, CyberKit 2.2 Ping, its driven me Nuts..
Can anyone verify the [non]existance of a difference between the Cyberkit and Nachi pings? Not having Cyberkit myself, I can only address Nachi. The frame is 106 bytes on the wire, 92 bytes in the IP packet, and 64 bytes of 0xaa in the ICMP data payload. If Cyberkit is anything but 64 bytes of 0xaa payload, perhaps a new, Nachi-specific rule is called for.
Here's the rule I wrote, which I've posted to the list several times. It uses thresholding and triggers one alert per minute. If you get *any* alerts with this rule, I *guarantee* you it's a machine infected with Nachi or a new variant of Nachi. # This rule is for tracking Nachi infections alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!"; content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aa aa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; threshold: type both, track by_src, count 1000, seconds 60; classtype:trojan-activity; si d: 10000008; rev: 4;) The usual rules apply. This must be either all on one line or properly "escaped", so you'll have to fix it if you copy and paste. Note that this rule *only* triggers for internal infections, *not* for infected machines on $EXTERNAL_NET, so you need to edit it appropriately for what you are looking for on your network. I.e. change $HOME_NET to any if you want to catch *all* infections or $EXTERNAL_NET if you want to catch *incoming* infections. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer University of Texas at Dallas http://www.utdallas.edu/ir/ ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --------------------------------- Do you Yahoo!? Find out what made the Top Yahoo! Searches of 2003
Current thread:
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Brice B (Dec 31)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jeff Kell (Dec 31)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jeff Kell (Dec 31)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Paul Schmehl (Dec 31)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jim Brown (Jan 03)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Paul Schmehl (Jan 03)
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Jeff Kell (Dec 31)
- RE: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Chris N (Jan 02)
- <Possible follow-ups>
- Re: SUMMARY, CyberKit 2.2 Ping, its driven me Nuts.. Simon Smith (Dec 31)