Snort mailing list archives
Traffic anomaly: Summary
From: Joerg Weber <j.weber () infos de>
Date: 17 Feb 2003 10:07:48 +0100
Hello everyone, first I'd like to thank everyone who has helped me in the past week with my traffic anomaly detection problem. Here is the summary if my findings, if I'm incorrect in my conclusions feel free to set me straight please ;) 1) Noticing 'strange' outbount traffic Building up a list of servers and categorizing their normal traffic allows us to build rules which catch non-standard traffic, like web/ftp servers initiating outbound traffic. Rule example alert tcp 192.168.1.2 any -> any any (msg:"Outbound connection from web server"; flags:S;) 2) Noticing worm-like traffic There are several ways to do this. One is watching the reset-packets generated by systems an infected host tries to contact (but failing for whatever reasons). Example nimda-like rule: lert tcp any 80 -> any any (msg:"rejected on HTTP";flags:AR;) One can also monitor ICMP packets generated in case there are connection attempts to closed ports. Spade will pick this up as well with the closed-dport directive. 3) Noticing traffic to previously unused ports: Spade will pick up a rogue server listening on some obscure port by it's odd-dport and odd-port-dest preprocessors 4) Noticing rogue warez servers on live systems Not possible with snort/spade at the current time. A custom netflow parsing app is needed to find compromised systems handing out stuff on their legal port (http, ftp). Again, thanks to everyone who helped me out :) Cheers, Joerg -- ---------------------------------- Joerg Weber Network Security InfoServe GmbH Nell-Breuning-Allee 6 66115 Saarbruecken T: 0681 - 88008 - 0 F: 0681 - 88008 - 33 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Traffic anomaly: Summary Joerg Weber (Feb 17)