Snort mailing list archives
Re: Snort as an anomalous behavior IDS
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Fri, 02 Apr 2010 16:25:10 -0500
You might be better off using the HTTP_PORTS variable. pass tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Ignoring outbound HTTP"; sid:10000001;) BTW, most trojans nowadays communicate on port 80, so you'll miss any trojan infections that do that. (Don't know if that's a problem for you or not.) --On Friday, April 02, 2010 15:27:09 -0400 Joel Esler <joel.esler () me com> wrote:
Correct. J On Apr 2, 2010, at 3:21 PM, Willst Mail wrote:Jason, Sounds like you did what I want to do. Let's say outbound HTTP is fine but anything else is bad, would your ruleset look something like: pass tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Allowing outbound HTTP"; sid:1000001) alert tcp any any -> any any (msg:"Bad traffic!"; sid:1000002) And from this (contrived and simplified) ruleset, outbound over port 80 is allowed to silently pass and everything else will generate an alert?------------------------------ Message: 3 Date: Sat, 03 Apr 2010 00:09:47 +1300 From: Jason Haar <Jason.Haar () trimble co nz> Subject: Re: [Snort-users] Snort as an anomalous behavior IDS To: snort-users () lists sourceforge net Message-ID: <4BB5D07B.7020701 () trimble co nz> Content-Type: text/plain; charset=ISO-8859-1 On 04/01/2010 11:32 AM, Willst Mail wrote:Is it as simple having a ruleset with the good rules, and a final rule that matches (any any -> any any)?We use snort to monitor DMZes that way. Unlike real networks, DMZes are meant to contain hosts that have specific roles, and don't have users logged in running Skype/etc. i.e their traffic flows are predictable. In particular, they shouldn't initiate outbound connections beyond the expected AV updates, Windows/YUM updates/etc. Then we created pass rules that allow such things, and trigger alerts on the rest. On our network, DMZ alerts are really quiet for ages - and then some SysAdmin will forget where they are and go and read their Gmail or something - and we get an alert - soon followed by a "sorry! it's me!" - that proves it's working :-) However, FTP is your enemy - no easy way to write "pass" rules for FTP. I've got HTTP "pass" rules to allow connections to hosts containing "uricontent:/repos/", or whitelist particular User-Agents - but you can't say "allow curl to ftp files" -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler http://blog.joelesler.net ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort as an anomalous behavior IDS Jason Haar (Apr 02)
- <Possible follow-ups>
- Re: Snort as an anomalous behavior IDS Willst Mail (Apr 02)
- Re: Snort as an anomalous behavior IDS Joel Esler (Apr 02)
- Re: Snort as an anomalous behavior IDS Paul Schmehl (Apr 02)
- Re: Snort as an anomalous behavior IDS Jason Haar (Apr 02)
- Re: Snort as an anomalous behavior IDS Joel Esler (Apr 02)