RE: Adding outbound rules to snort ruleset

["Jerry Shenk" <jshenk () decommunications com>]

I had that same "problem" yesterday.  Port 445 is blocked so I couldn't
tell the difference between sasser and korgo - doesn't really matter,
350,000/hour connection attempts to public IP addresses seems....odd ;)
 
I'm running pigsentry on this network...that seems to do pretty good at
alerting for newly discovered hits and hits that escalate dramatically
over prior levels.  I'm working on a minor modification to pigsentry so
that it will include the last few alerts that match the subject in the
e-mail message body.  
 
if ($opt_logto_mail) {
    $mail_recips = $opt_logto_mail;
    if (! -x $mailbin) {
        &fatal_error("Cannot execute '$mailbin' for sending email, use
--mailbin={exe}");
    }
    $notify_hook = sub {
        my ($msg, $alert) = @_;
        (!$alert) && ($alert = "alert");
        $mailinfo = "UNCB PigSentry $alert: $msg";
        $use_syslog && syslog('notice', "$alert: $msg");
## Next line changed
        system("/bin/grep -A 4 \"$msg\" /var/log/snort/alert | tail -n
35  | $mailbin -s \"$mailinfo\" $mail_recips </dev/null 2>/dev/null");
##
        print ("[" . localtime() . "] $alert: $msg\n");
    };
}

 
I haven't had a hit on pigsentry since I made the change so maybe it
won't work...here's what I'm trying at the moment.  I'm sure there's a
cleaner way to do that.  I'd also like to add a "first line" of the
message that would essentially be the number of hits  (grep -c \"msg\"
/var/log/snort/alert) and something like "xx hits on this signature
today".  I'm not quite sure how to have both things in the message body
without using temp files though.

-----Original Message-----
From: Williams Jon [mailto:WilliamsJonathan () JohnDeere com] 
Sent: Wednesday, June 09, 2004 3:38 PM
To: Jerry Shenk; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Adding outbound rules to snort ruleset


I've done this, with pretty good success.  Of course, it helps that some
of the networks I monitor have clearly defined boundries, but we've been
able to pick up on pretty much any MS networking worm just by watching
these 4 rules.  Add an external script that monitors (log files ||
snortdb) and looks for source addresses that connect to more than X
destinations in Y period of time, and we've got an effective worm
detector. 
 
Of course, the downside to this is that, due to the architecture of my
network, snort only ever sees SYN packets, and never the payloads, so
its hard to tell the difference between CodeRed, CodeRedII, and Nimda
(all three scan on TCP 135).  On the other hand, though, our
content-basd sigs for those 3 worms hardly ever trigger, due to the
ratio of active hosts to total address space.  Only ever saw 1 or 2
Nimda-specific alerts, but we'd get 200k generic ones from a single
host.  A honeypot might help that, though, by giving the worms something
to establish a TCP connection with.  Maybe :-)

Jon 

  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jerry
Shenk
Sent: Wednesday, June 09, 2004 1:40 PM
To: snort-users () lists sourceforge net
Cc: etienne.causse () pierre-fabre com
Subject: [Snort-users] Adding outbound rules to snort ruleset


Has there been any discussion about adding outbound NetBIOS rules to
snort?  Most of the rules in the "official" set of rules related to
traffic going from EXTERNAL_NET to HOME_NET.  There are quite a few
rules that related to connecting to IRC servers, responses to attacks,
etc.  It wouldn't need to be very complicated since I never want ANY
NetBIOS traffic going out AT ALL!  Here's a suggestion for a starting
point:
 
alert udp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"NETBIOS connection
outside LAN - udp 137"; classtype:bad-unknown;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"NETBIOS connection
outside LAN - tcp 137"; classtype:bad-unknown;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"NETBIOS connection
outside LAN - tcp 139"; classtype:bad-unknown;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS connection
outside LAN - tcp 445"; classtype:bad-unknown;)
 
I suppose there's a bunch more that could be similar - SNMP, TFTP,
perhaps 1723 (pptp), IRC (6666 & 6667) and of course the "worm dejour"
but NetBIOS attacks are so common in these. 
 
This relates a bit to the comments by
<mailto:etienne.causse () pierre-fabre com> etienne.causse () pierre-fabre com
about the virus.rules file.