Snort mailing list archives
Re: Trying to detect a ping sweep
From: "lists () packetmail net" <lists () packetmail net>
Date: Tue, 3 Apr 2012 17:35:33 -0500
On 04/03/12 16:30, Aaron Evers wrote:
Greetings, I am trying to configure snort 2.9.1.2 to detect a variety of network discovery traffic. I'd like to be able to detect a ping sweep in the following manner: a source address sends icmp echo requests to x number of unique destination addresses over x period of time. For example, a host that sends 10 pings to a single destination address over the course of 60 seconds does not generate an alert, but a host that sends 10 pings, each to a different destination address over the course of 60 seconds does generate an alert. Is this possible? I haven't been able to find a way with the online manual.
Hi Aaron, while completely untested, perhaps leveraging threshold and flowbits would give you an acceptable solution. I'm doing something similar but using Perl and hashes across multiple SIDs to generate threshold analysis. Since you're wanting to constrain this to ICMP echo-request I might would try: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"CUSTOM_RULES NOALERT Incoming ICMP Echo Request"; itype:8; flowbits:set,custom.psweep; flowbits:noalert; threshold:type limit, track by_src, count 10, seconds 60; classtype:icmp-event; sid:x; rev:1;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"CUSTOM_RULES ALERT Incoming ICMP Echo Request Sweep to Multiple Hosts"; itype:8; flowbit:isset,custom.psweep; classtype:icmp-event; threshold:type limit, track by_dst, count 1, seconds 60; sid:x; rev:1;) I'm not certain this is 100% correct but hopefully it gives you some ideas or at least points you into the right direction. Hopefully others may be able to assist. Thanks, Nathan ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Trying to detect a ping sweep Aaron Evers (Apr 03)
- Re: Trying to detect a ping sweep lists () packetmail net (Apr 03)