Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Traffic anomaly: Summary

From: Joerg Weber <j.weber () infos de>
Date: 17 Feb 2003 10:07:48 +0100
Hello everyone,

first I'd like to thank everyone who has helped me in the past week with
my traffic anomaly detection problem.
Here is the summary if my findings, if I'm incorrect in my conclusions
feel free to set me straight please ;)

1) Noticing 'strange' outbount traffic
Building up a list of servers and categorizing their normal traffic
allows us to build rules which catch non-standard traffic, like web/ftp
servers initiating outbound traffic. Rule example
alert tcp 192.168.1.2 any -> any any (msg:"Outbound connection from web
server"; flags:S;)

2) Noticing worm-like traffic
There are several ways to do this. One is watching the reset-packets
generated by systems an infected host tries to contact (but failing for
whatever reasons). Example nimda-like rule:
lert tcp any 80 -> any any (msg:"rejected on HTTP";flags:AR;)
One can also monitor ICMP packets generated in case there are connection
attempts to closed ports.
Spade will pick this up as well with the closed-dport directive.

3) Noticing traffic to previously unused ports:
Spade will pick up a rogue server listening on some obscure port by it's
odd-dport and odd-port-dest preprocessors

4) Noticing rogue warez servers on live systems
Not possible with snort/spade at the current time. A custom netflow
parsing app is needed to find compromised systems handing out stuff on
their legal port (http, ftp).

Again, thanks to everyone who helped me out :)

Cheers,

Joerg

-- 
----------------------------------
Joerg Weber
Network Security
InfoServe GmbH
Nell-Breuning-Allee 6
66115 Saarbruecken
T: 0681 - 88008 - 0
F: 0681 - 88008 - 33



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: