Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Adding outbound rules to snort ruleset

From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Wed, 9 Jun 2004 14:37:58 -0500
I've done this, with pretty good success.  Of course, it helps that some
of the networks I monitor have clearly defined boundries, but we've been
able to pick up on pretty much any MS networking worm just by watching
these 4 rules.  Add an external script that monitors (log files ||
snortdb) and looks for source addresses that connect to more than X
destinations in Y period of time, and we've got an effective worm
detector. 
 
Of course, the downside to this is that, due to the architecture of my
network, snort only ever sees SYN packets, and never the payloads, so
its hard to tell the difference between CodeRed, CodeRedII, and Nimda
(all three scan on TCP 135).  On the other hand, though, our
content-basd sigs for those 3 worms hardly ever trigger, due to the
ratio of active hosts to total address space.  Only ever saw 1 or 2
Nimda-specific alerts, but we'd get 200k generic ones from a single
host.  A honeypot might help that, though, by giving the worms something
to establish a TCP connection with.  Maybe :-)

Jon 

  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jerry
Shenk
Sent: Wednesday, June 09, 2004 1:40 PM
To: snort-users () lists sourceforge net
Cc: etienne.causse () pierre-fabre com
Subject: [Snort-users] Adding outbound rules to snort ruleset


Has there been any discussion about adding outbound NetBIOS rules to
snort?  Most of the rules in the "official" set of rules related to
traffic going from EXTERNAL_NET to HOME_NET.  There are quite a few
rules that related to connecting to IRC servers, responses to attacks,
etc.  It wouldn't need to be very complicated since I never want ANY
NetBIOS traffic going out AT ALL!  Here's a suggestion for a starting
point:
 
alert udp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"NETBIOS connection
outside LAN - udp 137"; classtype:bad-unknown;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"NETBIOS connection
outside LAN - tcp 137"; classtype:bad-unknown;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"NETBIOS connection
outside LAN - tcp 139"; classtype:bad-unknown;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS connection
outside LAN - tcp 445"; classtype:bad-unknown;)
 
I suppose there's a bunch more that could be similar - SNMP, TFTP,
perhaps 1723 (pptp), IRC (6666 & 6667) and of course the "worm dejour"
but NetBIOS attacks are so common in these. 
 
This relates a bit to the comments by etienne.causse () pierre-fabre com
<mailto:etienne.causse () pierre-fabre com>  about the virus.rules file.
Previous By Date Next
Previous By Thread Next

Current thread: