Snort mailing list archives
Re: ET 2001581
From: Matt Olney <molney () sourcefire com>
Date: Sun, 7 Jun 2009 13:46:19 -0400
Well...I'm not certain the intent of the rule. If it is looking for boxes inside your network scanning out, then you'd want: alert tcp $HOME_NET any -> $EXTERNAL_NET 135 If you're looking for external boxes scanning in, you would want: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 If you're looking for internal boxes scanning on 135, a better bet is to have some darknet set aside and build a custom rule. For example, take an unused /24, say 10.10.10.0/24, and then assign it to the variable DARK_NET. Then I would use: alert tcp $HOME_NET any -> $DARK_NET 135. Of course, you would also want to worry about the other NETBIOS protocols, 139 and 445 as a base. And finally, you might want to alert on ANY traffic destined to DARK_NET. It is unused, and any traffic that way is by default abnormal (probably). But, either way, these rules are ET rules and not Sourcefire rules. I think Mr. Jonkman hangs around here, so he may have some things to say about them as well. Matt Olney Research Engineer, VRT On Sun, Jun 7, 2009 at 12:16 PM, James Lay<jlay () slave-tothe-box net> wrote:
Maybe I’m just dumb, but shouldn’t something like the below be set to ignore localnets? Alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Netbios; sid: 2001581; rev:13;) emerging-sid-msg.map:2001581 || ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Netbios || url,doc.emergingthreats.net/2001581 Saw a lot of: Jun 7 09:47:24 gateway snort[15113]: [1:2001581:13] ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection [Classification: Misc activity] [Priority: 3]: {TCP} 10.0.1.10:2649 -> 10.0.16.62:135 Even though var HOME_NET is [10.0.0.0/8] ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ET 2001581 James Lay (Jun 07)
- Re: ET 2001581 Matt Olney (Jun 07)
- Re: ET 2001581 Matt Jonkman (Jun 08)
- Re: ET 2001581 Matt Olney (Jun 07)