Snort mailing list archives
RE: Adding outbound rules to snort ruleset
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Wed, 9 Jun 2004 15:54:26 -0400
I had that same "problem" yesterday. Port 445 is blocked so I couldn't tell the difference between sasser and korgo - doesn't really matter, 350,000/hour connection attempts to public IP addresses seems....odd ;) I'm running pigsentry on this network...that seems to do pretty good at alerting for newly discovered hits and hits that escalate dramatically over prior levels. I'm working on a minor modification to pigsentry so that it will include the last few alerts that match the subject in the e-mail message body. if ($opt_logto_mail) { $mail_recips = $opt_logto_mail; if (! -x $mailbin) { &fatal_error("Cannot execute '$mailbin' for sending email, use --mailbin={exe}"); } $notify_hook = sub { my ($msg, $alert) = @_; (!$alert) && ($alert = "alert"); $mailinfo = "UNCB PigSentry $alert: $msg"; $use_syslog && syslog('notice', "$alert: $msg"); ## Next line changed system("/bin/grep -A 4 \"$msg\" /var/log/snort/alert | tail -n 35 | $mailbin -s \"$mailinfo\" $mail_recips </dev/null 2>/dev/null"); ## print ("[" . localtime() . "] $alert: $msg\n"); }; } I haven't had a hit on pigsentry since I made the change so maybe it won't work...here's what I'm trying at the moment. I'm sure there's a cleaner way to do that. I'd also like to add a "first line" of the message that would essentially be the number of hits (grep -c \"msg\" /var/log/snort/alert) and something like "xx hits on this signature today". I'm not quite sure how to have both things in the message body without using temp files though. -----Original Message----- From: Williams Jon [mailto:WilliamsJonathan () JohnDeere com] Sent: Wednesday, June 09, 2004 3:38 PM To: Jerry Shenk; snort-users () lists sourceforge net Subject: RE: [Snort-users] Adding outbound rules to snort ruleset I've done this, with pretty good success. Of course, it helps that some of the networks I monitor have clearly defined boundries, but we've been able to pick up on pretty much any MS networking worm just by watching these 4 rules. Add an external script that monitors (log files || snortdb) and looks for source addresses that connect to more than X destinations in Y period of time, and we've got an effective worm detector. Of course, the downside to this is that, due to the architecture of my network, snort only ever sees SYN packets, and never the payloads, so its hard to tell the difference between CodeRed, CodeRedII, and Nimda (all three scan on TCP 135). On the other hand, though, our content-basd sigs for those 3 worms hardly ever trigger, due to the ratio of active hosts to total address space. Only ever saw 1 or 2 Nimda-specific alerts, but we'd get 200k generic ones from a single host. A honeypot might help that, though, by giving the worms something to establish a TCP connection with. Maybe :-) Jon _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jerry Shenk Sent: Wednesday, June 09, 2004 1:40 PM To: snort-users () lists sourceforge net Cc: etienne.causse () pierre-fabre com Subject: [Snort-users] Adding outbound rules to snort ruleset Has there been any discussion about adding outbound NetBIOS rules to snort? Most of the rules in the "official" set of rules related to traffic going from EXTERNAL_NET to HOME_NET. There are quite a few rules that related to connecting to IRC servers, responses to attacks, etc. It wouldn't need to be very complicated since I never want ANY NetBIOS traffic going out AT ALL! Here's a suggestion for a starting point: alert udp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"NETBIOS connection outside LAN - udp 137"; classtype:bad-unknown;) alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"NETBIOS connection outside LAN - tcp 137"; classtype:bad-unknown;) alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"NETBIOS connection outside LAN - tcp 139"; classtype:bad-unknown;) alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS connection outside LAN - tcp 445"; classtype:bad-unknown;) I suppose there's a bunch more that could be similar - SNMP, TFTP, perhaps 1723 (pptp), IRC (6666 & 6667) and of course the "worm dejour" but NetBIOS attacks are so common in these. This relates a bit to the comments by <mailto:etienne.causse () pierre-fabre com> etienne.causse () pierre-fabre com about the virus.rules file.
Current thread:
- RE: Adding outbound rules to snort ruleset Williams Jon (Jun 09)
- RE: Adding outbound rules to snort ruleset Jerry Shenk (Jun 09)