Re: How's best to alert on Web connections that *don't* contain particular content?

["Kenneth G. Arnold" <bkarnold () cbu edu>]

You could write an alert to catch all port 80 connections but write a pass
rule that would be processed first that lets the Trendmicro traffic be
ignored.
Ken

On Wed, 26 Feb 2003, Jason Haar wrote:

> I'm wanting to get snort to alert whenever it sees our DMZ hosts connect
> outbound on services they're not meant to be using. Sounds like a good idea
> - should only trigger once a break in has occured.
>
> Anyway, one problem is our DMZ anti-virus SMTP servers with all their
> auto-updates. We have DMZes throughout the world, and so far I have
> discovered that our Trend InterScan VirusWall servers have connected to no
> less than 40 different networks (not hosts!) to get Trend pattern file
> updates from. Gah! There's no way I can put an exclude list in to tell snort
> to ignore port 80 connections to that many sites - and of course they could
> change from week to week.
>
> Instead I decided to look at the content, and to alert only if a port 80
> connection looks like it's a non-Trend request.
>
> i.e.
>
> alert tcp $DMZES_NETS any -> any 80 (msg:"DMZ host communicating to an \
> unsupported service";flow:to_server,established; content:"Host|3a|"; \
> regex:!"Host|3a|*trend";nocase;tag: session, 10,packets;\
> classtype:successful-admin;sid:1000001;rev:2;\
> reference: url,/secure/cvename.php?name=1000001;)
>
> So what it's doing is looking for a "Host:" header - which implies it's a
> Web request, and then alerts IFF it doesn't contain "Host:*trend" - as all
> the Trend update servers contain that string in their DNS hostnames.
>
> It seems to work, but I'm still getting the odd hit - the packet caught does
> contain "Host:*trend" - so I don't know why it's triggering. Is the regex
> code pretty solid?
>
> Any ideas?
>
> Also, is there a way of alerting on non-HTTP traffic on port 80? The above
> rule would catch the likes of an outgoing CodeRed - but it wouldn't trigger
> on a successful hacker going back to his SSH server running on port 80. Can
> you do something like "flow:to_server,established;nouricontent"?
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users