Snort mailing list archives
Adding outbound rules to snort ruleset
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Wed, 9 Jun 2004 14:39:47 -0400
Has there been any discussion about adding outbound NetBIOS rules to snort? Most of the rules in the "official" set of rules related to traffic going from EXTERNAL_NET to HOME_NET. There are quite a few rules that related to connecting to IRC servers, responses to attacks, etc. It wouldn't need to be very complicated since I never want ANY NetBIOS traffic going out AT ALL! Here's a suggestion for a starting point: alert udp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"NETBIOS connection outside LAN - udp 137"; classtype:bad-unknown;) alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"NETBIOS connection outside LAN - tcp 137"; classtype:bad-unknown;) alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"NETBIOS connection outside LAN - tcp 139"; classtype:bad-unknown;) alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS connection outside LAN - tcp 445"; classtype:bad-unknown;) I suppose there's a bunch more that could be similar - SNMP, TFTP, perhaps 1723 (pptp), IRC (6666 & 6667) and of course the "worm dejour" but NetBIOS attacks are so common in these. This relates a bit to the comments by <mailto:etienne.causse () pierre-fabre com> etienne.causse () pierre-fabre com about the virus.rules file.
Current thread:
- Setting up Oinkmaster Lance Boon (Jun 09)
- Adding outbound rules to snort ruleset Jerry Shenk (Jun 09)