Snort mailing list archives

RE: Curse of the cmd.exe

From: Andreas Östling <andreaso () it su se>
Date: Sat, 15 Jun 2002 16:45:36 +0200 (CEST)


Sam Evans wrote:

It seems pointless to me, to log 10,000 cmd.exe attempts from outside
hosts, when you don't know what the actual outcome was..  Sure,
you have to go to your webserver logs to find out the real result, but,
with all the Nimda / Codered still going on..   That makes for a very long day
of log searching.



There are a few excellent "attack response" rules among the official
Snort rules which you could focus on. (And as always, it's easy to write
your own.)

I'm not sure I agree that logging those 10,000 cmd.exe attempts are always
pointless though.
At least my experience is that when you catch a successful intrusion,
even those alerts (to/from the involved hosts) that you would normally
classify as false positives can be invaluable and give a better view of a
larger picture. Personally I prefer to have snort and other tools collect
as much possibly hostile activities as possible and then look for the
best/worst stuff myself by post-processing the logs using
SnortSnarf/ACID/grep etc.

I wrote a really ugly little perl script a while ago to help me combining
attacks with attack responses by parsing an alert file, just as a test to
se if it would be useful. It's really simple - if there is an alert from
a.a.a.a:x -> b.b.b.b:y and then an alert from b.b.b.b:y -> a.a.a.a:x there
is a darn good chance that they are related, so "generate an alert". You
can also define what is a bad answer (host vulnerable) or good answer
(host not vulnerable). This is obiously too simple to be really useful in
the real world but could be extended in many ways.

An example from a real-life alert file:
http://people.su.se/~andreaso/misc/istest.html

I never finished it and probably never will, but I still like the idea.
Has anyone made something similar? Or planning to?
Hopefully it will be much better than my attempt :)

Regards,
Andreas Östling


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Curse of the cmd.exe Matt Yackley (Jun 14)
- <Possible follow-ups>
- RE: Curse of the cmd.exe Andreas Östling (Jun 15)
- RE: Curse of the cmd.exe MOLLOY, Brendan, GCM (Jun 17)
- RE: Curse of the cmd.exe M. Burnett (Jun 17)