Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort + HTSQL dashboard application

From: Jim Hranicky <jfh () ufl edu>
Date: Thu, 5 May 2011 23:02:57 -0400
On Thu, 5 May 2011 17:50:33 -0600
Dan Ferris <dferris () prometheusresearch com> wrote:


Here's another HTSQL example.

This will make a quick (and probably mostly unuseful in this form) 
blacklist of all source IPs that have created high severity events. In 
this case the firewall would be ipfw on FreeBSD, but you could of course 
easily do the same thing with iptables.


This is pretty cool. I've actually written a similar tool for the
command line, qids.

Examples:

    # event summary
    % qids --sig-list=badguy1,badguy2
    sig                  | count    | ip_src        | ip_dst         | first seen          | last seen
    ---------------------|----------|---------------|----------------|---------------------|--------------------
    TROJAN BadGuy1 Sig   | 22       | 10.XX.XX.XX   | 212.XX.XX.XX   | 2011-05-05 08:25:37 | 2011-05-05 14:31:24
    TROJAN BadGuy1 Sig   | 1        | 10.XX.XX.XX   | 63.XX.XX.XX    | 2011-05-05 17:13:39 | 2011-05-05 17:13:39
    TROJAN BadGuy1 Sig   | 1        | 10.XX.XX.XX   | 95.XX.XX.XX    | 2011-05-05 17:21:02 | 2011-05-05 17:21:02
    TROJAN BadGuy1 Sig   | 44       | 10.XX.XX.XX   | 89.XX.XX.XX    | 2011-05-05 08:35:52 | 2011-05-05 17:51:28
    TROJAN BadGuy2 Sig   | 13       | 10.XX.XX.XX   | 202.XX.XX.XX   | 2011-05-04 15:11:46 | 2011-05-05 16:08:14
    TROJAN BadGuy2 Sig   | 7        | 10.XX.XX.XX   | 202.XX.XX.XX   | 2011-05-03 08:07:00 | 2011-05-05 16:22:18

    # show actual events
    % qids --sig-list=badguy1,badguy2 --show-events=4
    ++++++++++++++++++++++++ 10.XX.XX.XX ++++++++++++++++++++++++++
    ==================================================================
    TROJAN BadGuy1 Sig   | 70       | 10.XX.XX.XX  | 62.122.75.138  | 2011-05-01 19:35:27 | 2011-05-02 06:26:53
    ==================================================================
    TROJAN BadGuy1 Sig
    10.XX.XX.XX  | 62.XX.XX.XX    | 49340    | 80       | tcp      | 2011-05-01 19:35:27 | sensor1:eth0.2
    TROJAN BadGuy1 Sig
    10.XX.XX.XX  | 62.XX.XX.XX    | 50384    | 80       | tcp      | 2011-05-01 19:58:26 | sensor2:eth0.1
    [...]

    # show events and payloads
    % qids --sig-list=badguy1,badguy2 --show-events=4 --show-payload
    ++++++++++++++++++++++++ 10.XX.XX.XX ++++++++++++++++++++++++++
    ==================================================================
    TROJAN BadGuy1 Sig   | 4        | 10.XX.XX.XX  | 62.122.75.136  | 2011-05-02 15:42:30 | 2011-05-02 16:31:08
    ==================================================================
    -----------------------------------------------------------------------
    TROJAN BadGuy1 Sig
    10.XX.XX.XX  | 62.XX.XX.XX    | 52901    | 80       | tcp      | 2011-05-02 15:42:30 | sensor2:eth0.1
    -----------------------------------------------------------------------
    GET /blahdeblahdeblah HTTP/1.0
    Accept-Language: en-us
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)
    Host: badguy.dom.ain
    Cache-Control: no-cache
    [...]

    # --all-sigs-per-ip really useful though slow, exclude stuff we don't want
    % qids --sig-list=badguy1 --all-sigs-per-ip --exclude-sig-list=sipvicious,p2p
                 sig                        | count    | ip_src        | ip_dst         | first seen          | last 
seen
    
----------------------------------------|----------|---------------|----------------|---------------------|--------------------
    MALVERTIZING Malicious ad site          | 2        | 10.XX.XX.11   | 45.XX.XX.XX    | 2011-05-05 08:25:37 | 
2011-05-05 14:31:24
    EXPLOIT Bad guy exploit                 | 4        | 10.XX.XX.11   | 91.XX.XX.XX    | 2011-05-05 08:25:37 | 
2011-05-05 14:31:24
    SUSPICIOUS jar download from bad domain | 7        | 10.XX.XX.11   | 195.XX.XX.XX   | 2011-05-05 08:25:37 | 
2011-05-05 14:31:24
    TROJAN BadGuy1 Sig                      | 20       | 10.XX.XX.11   | 91.XX.XX.XX    | 2011-05-05 08:25:37 | 
2011-05-05 14:31:24

Using the last one with --show-events=X --show-payload would show the payload
for all the events listed.

The full argument list is below. It's not all implemented and not quite done,
but the parts that work do so really well. I haven't released it yet, would
this be something folks are interested in? Ultimately like HTSQL it's just
a wrapper around SQL itself, but some folks may find it useful.

--
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida

Usage: ./nqids [options]

Options

    --help                                   (-h) : Print help
    --verbose                                (-v) : Run verbosely

Event finding flags

    --ip-list ARG                            (  ) : Limit to ip1,ip2,...,ipN (CIDR ips ok)
    --sig-list ARG                           (-s) : List of sig pats ('Gozi', ...)
    --sig-and-list ARG                       (  ) : List of sig pats contained in one sig (--sig-and-list=bot,cnc)
    --sid-list ARG                           (-s) : List of SIDS
    --payload-list ARG                       (  ) : Payload contains any patterns (p1,p2,..,pN)
    --payload-and-list ARG                   (  ) : Payload contains all patterns (p1,p2,..,pN)
    --port-list ARG                          (  ) : Sigs containing ports (p1,p2,...,pN)
    --raw-payload-list ARG                   (  ) : Raw payload contains any patterns (p1,p2,..,pN)
    --src-port-list ARG                      (  ) : Sigs containing src ports (p1,p2,...,pN)
    --dst-port-list ARG                      (  ) : Sigs containing dst ports (p1,p2,...,pN)

Event finding tweaks

    --all-sigs-per-ip                        (-A) : Show all sigs for ips in initial query
    --targeted-sigs-per-ip ARG               (-T) : Look for certain sigs for ips in initial query
    --binary-payload                         (  ) : Search for packets with a binary payload
    --date-range ARG                         (  ) : Date range (date1,date2)
    --exclude-ip-list ARG                    (  ) : Exclude sigs for ip1,ip2,...,ipN
    --exclude-ip-src-list ARG                (  ) : Exclude sigs for ip1,ip2,...,ipN in ip_src
    --exclude-ip-dst-list ARG                (  ) : Exclude sigs for ip1,ip2,...,ipN in ip_dst
    --exclude-payload-filter ARG             (  ) : Exclude events matching a regexp (r1,r2,..,rN)
    --exclude-payload-list ARG               (  ) : Exclude payload patterns (p1,p2,..,pN)
    --exclude-port-list ARG                  (  ) : Exclude events containing ports (p1,p2,...,pN)
    --exclude-raw-payload-list ARG           (  ) : Raw payload doesn't contain patterns (p1,p2,..,pN)
    --exclude-sig-list ARG                   (  ) : Exclude sigs containing patterns (p1,p2,...,pN)
    --exclude-tagged-packets                 (  ) : Exclude tagged packets
    --force-local ARG                        (  ) : Set 'local' ip to 'src' or 'dst' both are local
    --home-net-src                           (  ) : Return results where ip_src is in the HOME_NET
    --home-net-dst                           (  ) : Return results where ip_dst is in the HOME_NET
    --include-payload-filter ARG             (  ) : Keep only events matching a regexp (r1,r2,..,rN)
    --interval ARG                           (-i) : Looks for events within the past N hours
    --minterval ARG                          (-m) : Looks for events within the past N minutes
    --keep-original-sigs                     (  ) : Search for the original sigs when using --all_sigs_per_ip (excluded 
by default)
    --min-event-count ARG                    (  ) : Show events with a count >= N
    --non-local                              (  ) : Ensure that src/dst adresses of events returned are not both local

Display Options

    --desc-list-order                        (  ) : List events in descending order (default ascending)
    --order-by ARG                           (  ) : Select column for sorting summary queries (def: max_ts)
    --show-events ARG                        (-e) : Show NUM events per src/dst in a list (0 for unlimited). Does not 
set max num of events total
    --show-payload                           (-p) : Show payloads associated with events from --show-events
    --sig-length ARG                         (-l) : Sig length (default 60 chars) (def: 60)

Misc

    --db-name ARG                            (-d) : Database name
    --db-host ARG                            (  ) : Database name (def: foo.server.com)

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: