Snort mailing list archives
RE: Adding outbound rules to snort ruleset
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Wed, 9 Jun 2004 14:37:58 -0500
I've done this, with pretty good success. Of course, it helps that some of the networks I monitor have clearly defined boundries, but we've been able to pick up on pretty much any MS networking worm just by watching these 4 rules. Add an external script that monitors (log files || snortdb) and looks for source addresses that connect to more than X destinations in Y period of time, and we've got an effective worm detector. Of course, the downside to this is that, due to the architecture of my network, snort only ever sees SYN packets, and never the payloads, so its hard to tell the difference between CodeRed, CodeRedII, and Nimda (all three scan on TCP 135). On the other hand, though, our content-basd sigs for those 3 worms hardly ever trigger, due to the ratio of active hosts to total address space. Only ever saw 1 or 2 Nimda-specific alerts, but we'd get 200k generic ones from a single host. A honeypot might help that, though, by giving the worms something to establish a TCP connection with. Maybe :-) Jon _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jerry Shenk Sent: Wednesday, June 09, 2004 1:40 PM To: snort-users () lists sourceforge net Cc: etienne.causse () pierre-fabre com Subject: [Snort-users] Adding outbound rules to snort ruleset Has there been any discussion about adding outbound NetBIOS rules to snort? Most of the rules in the "official" set of rules related to traffic going from EXTERNAL_NET to HOME_NET. There are quite a few rules that related to connecting to IRC servers, responses to attacks, etc. It wouldn't need to be very complicated since I never want ANY NetBIOS traffic going out AT ALL! Here's a suggestion for a starting point: alert udp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"NETBIOS connection outside LAN - udp 137"; classtype:bad-unknown;) alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"NETBIOS connection outside LAN - tcp 137"; classtype:bad-unknown;) alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"NETBIOS connection outside LAN - tcp 139"; classtype:bad-unknown;) alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS connection outside LAN - tcp 445"; classtype:bad-unknown;) I suppose there's a bunch more that could be similar - SNMP, TFTP, perhaps 1723 (pptp), IRC (6666 & 6667) and of course the "worm dejour" but NetBIOS attacks are so common in these. This relates a bit to the comments by etienne.causse () pierre-fabre com <mailto:etienne.causse () pierre-fabre com> about the virus.rules file.
Current thread:
- RE: Adding outbound rules to snort ruleset Williams Jon (Jun 09)
- RE: Adding outbound rules to snort ruleset Jerry Shenk (Jun 09)