Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Question about merging alerts

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 27 Jan 2005 22:07:10 +1300
[This is probably more a question regarding how far we can make Snorts rules bend over backwards - but I'm sure we can make them do more than they should ;-)]
The "SMB repeated logon failure" alerts look for multiple occurrences of the SMB equivalent of "access denied" packets sent to the same destination. This works well enough - but you get no indication of which account is being denied access to - just that it was. (actually, why is that? I would have thought the stream4 preprocessor would tend to clump the stream together enough to see the login attempt - but all my TCP SMB events are 39 bytes in length, and only contain the "access denied" - no reference to the data flowing to the server that triggered it in the first place)
I was wondering if the flowbits option could be used to create (say) "flowbits:set,smblogin" on packets that contain SMB authentication attempts, and that *somehow* (that's the hard bit) be logged if the normal "SMB repeated logon failure" alerts then occur afterwards (obviously they'd need "flowbits:isset,smblogin") - perhaps like tagged events? That way you could get one event that contained both directions of traffic (i.e. see the username/password pair being sent, as well as the "access denied" coming back)
I guess my question is how can we track several (even just two) data streams and make them generate one event that contains all components - maybe a "flowbits:merge,smblogin"? Does that even make sense to do so?
I know I could tag - but for something like this I'd end up with 10-100K entries a day (we monitor WAN links - so LOTS of SMB) - and would still have to cross-reference the alert back to the appropriate tag. Too big - not an option. 

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: