Snort mailing list archives
Re: ET 2001581
From: Matt Jonkman <jonkman () jonkmans com>
Date: Mon, 08 Jun 2009 09:48:28 -0400
The intent originally was to catch any scanning, back in the day when the bots would just start sequentially at some class A. Might have been internal, might have been external. But overall, the threshold of 70 *new* connections in 60 seconds is what keeps it accurate. Nothing Windows does works that quickly! :) I have seen false positives on servers pushing patches if they're scanning a net looking for boxes to hit, and scripted net discovery. But these are also within the intent of the rule. So overall, the goal is to see internal and outbound port 135 scanning. Likely culprits are infections and internal scanning (which if the scanning isn't authorized it needs attention). That help clear things up? As for the darknet suggestion Matt, I wholeheartedly agree! But that's a local thing of course. Does anyone see a change we should make to the rule under the original intent? Matt Matt Olney wrote:
Well...I'm not certain the intent of the rule. If it is looking for boxes inside your network scanning out, then you'd want: alert tcp $HOME_NET any -> $EXTERNAL_NET 135 If you're looking for external boxes scanning in, you would want: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 If you're looking for internal boxes scanning on 135, a better bet is to have some darknet set aside and build a custom rule. For example, take an unused /24, say 10.10.10.0/24, and then assign it to the variable DARK_NET. Then I would use: alert tcp $HOME_NET any -> $DARK_NET 135. Of course, you would also want to worry about the other NETBIOS protocols, 139 and 445 as a base. And finally, you might want to alert on ANY traffic destined to DARK_NET. It is unused, and any traffic that way is by default abnormal (probably). But, either way, these rules are ET rules and not Sourcefire rules. I think Mr. Jonkman hangs around here, so he may have some things to say about them as well. Matt Olney Research Engineer, VRT On Sun, Jun 7, 2009 at 12:16 PM, James Lay<jlay () slave-tothe-box net> wrote:Maybe I’m just dumb, but shouldn’t something like the below be set to ignore localnets? Alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Netbios; sid: 2001581; rev:13;) emerging-sid-msg.map:2001581 || ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection || url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Netbios || url,doc.emergingthreats.net/2001581 Saw a lot of: Jun 7 09:47:24 gateway snort[15113]: [1:2001581:13] ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection [Classification: Misc activity] [Priority: 3]: {TCP} 10.0.1.10:2649 -> 10.0.16.62:135 Even though var HOME_NET is [10.0.0.0/8] ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ET 2001581 James Lay (Jun 07)
- Re: ET 2001581 Matt Olney (Jun 07)
- Re: ET 2001581 Matt Jonkman (Jun 08)
- Re: ET 2001581 Matt Olney (Jun 07)