Snort mailing list archives
Re: Snort + HTSQL dashboard application
From: Jim Hranicky <jfh () ufl edu>
Date: Thu, 5 May 2011 23:02:57 -0400
On Thu, 5 May 2011 17:50:33 -0600 Dan Ferris <dferris () prometheusresearch com> wrote:
Here's another HTSQL example. This will make a quick (and probably mostly unuseful in this form) blacklist of all source IPs that have created high severity events. In this case the firewall would be ipfw on FreeBSD, but you could of course easily do the same thing with iptables.
This is pretty cool. I've actually written a similar tool for the command line, qids. Examples: # event summary % qids --sig-list=badguy1,badguy2 sig | count | ip_src | ip_dst | first seen | last seen ---------------------|----------|---------------|----------------|---------------------|-------------------- TROJAN BadGuy1 Sig | 22 | 10.XX.XX.XX | 212.XX.XX.XX | 2011-05-05 08:25:37 | 2011-05-05 14:31:24 TROJAN BadGuy1 Sig | 1 | 10.XX.XX.XX | 63.XX.XX.XX | 2011-05-05 17:13:39 | 2011-05-05 17:13:39 TROJAN BadGuy1 Sig | 1 | 10.XX.XX.XX | 95.XX.XX.XX | 2011-05-05 17:21:02 | 2011-05-05 17:21:02 TROJAN BadGuy1 Sig | 44 | 10.XX.XX.XX | 89.XX.XX.XX | 2011-05-05 08:35:52 | 2011-05-05 17:51:28 TROJAN BadGuy2 Sig | 13 | 10.XX.XX.XX | 202.XX.XX.XX | 2011-05-04 15:11:46 | 2011-05-05 16:08:14 TROJAN BadGuy2 Sig | 7 | 10.XX.XX.XX | 202.XX.XX.XX | 2011-05-03 08:07:00 | 2011-05-05 16:22:18 # show actual events % qids --sig-list=badguy1,badguy2 --show-events=4 ++++++++++++++++++++++++ 10.XX.XX.XX ++++++++++++++++++++++++++ ================================================================== TROJAN BadGuy1 Sig | 70 | 10.XX.XX.XX | 62.122.75.138 | 2011-05-01 19:35:27 | 2011-05-02 06:26:53 ================================================================== TROJAN BadGuy1 Sig 10.XX.XX.XX | 62.XX.XX.XX | 49340 | 80 | tcp | 2011-05-01 19:35:27 | sensor1:eth0.2 TROJAN BadGuy1 Sig 10.XX.XX.XX | 62.XX.XX.XX | 50384 | 80 | tcp | 2011-05-01 19:58:26 | sensor2:eth0.1 [...] # show events and payloads % qids --sig-list=badguy1,badguy2 --show-events=4 --show-payload ++++++++++++++++++++++++ 10.XX.XX.XX ++++++++++++++++++++++++++ ================================================================== TROJAN BadGuy1 Sig | 4 | 10.XX.XX.XX | 62.122.75.136 | 2011-05-02 15:42:30 | 2011-05-02 16:31:08 ================================================================== ----------------------------------------------------------------------- TROJAN BadGuy1 Sig 10.XX.XX.XX | 62.XX.XX.XX | 52901 | 80 | tcp | 2011-05-02 15:42:30 | sensor2:eth0.1 ----------------------------------------------------------------------- GET /blahdeblahdeblah HTTP/1.0 Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2) Host: badguy.dom.ain Cache-Control: no-cache [...] # --all-sigs-per-ip really useful though slow, exclude stuff we don't want % qids --sig-list=badguy1 --all-sigs-per-ip --exclude-sig-list=sipvicious,p2p sig | count | ip_src | ip_dst | first seen | last seen ----------------------------------------|----------|---------------|----------------|---------------------|-------------------- MALVERTIZING Malicious ad site | 2 | 10.XX.XX.11 | 45.XX.XX.XX | 2011-05-05 08:25:37 | 2011-05-05 14:31:24 EXPLOIT Bad guy exploit | 4 | 10.XX.XX.11 | 91.XX.XX.XX | 2011-05-05 08:25:37 | 2011-05-05 14:31:24 SUSPICIOUS jar download from bad domain | 7 | 10.XX.XX.11 | 195.XX.XX.XX | 2011-05-05 08:25:37 | 2011-05-05 14:31:24 TROJAN BadGuy1 Sig | 20 | 10.XX.XX.11 | 91.XX.XX.XX | 2011-05-05 08:25:37 | 2011-05-05 14:31:24 Using the last one with --show-events=X --show-payload would show the payload for all the events listed. The full argument list is below. It's not all implemented and not quite done, but the parts that work do so really well. I haven't released it yet, would this be something folks are interested in? Ultimately like HTSQL it's just a wrapper around SQL itself, but some folks may find it useful. -- Jim Hranicky IT Security Engineer Office of Information Security and Compliance University of Florida Usage: ./nqids [options] Options --help (-h) : Print help --verbose (-v) : Run verbosely Event finding flags --ip-list ARG ( ) : Limit to ip1,ip2,...,ipN (CIDR ips ok) --sig-list ARG (-s) : List of sig pats ('Gozi', ...) --sig-and-list ARG ( ) : List of sig pats contained in one sig (--sig-and-list=bot,cnc) --sid-list ARG (-s) : List of SIDS --payload-list ARG ( ) : Payload contains any patterns (p1,p2,..,pN) --payload-and-list ARG ( ) : Payload contains all patterns (p1,p2,..,pN) --port-list ARG ( ) : Sigs containing ports (p1,p2,...,pN) --raw-payload-list ARG ( ) : Raw payload contains any patterns (p1,p2,..,pN) --src-port-list ARG ( ) : Sigs containing src ports (p1,p2,...,pN) --dst-port-list ARG ( ) : Sigs containing dst ports (p1,p2,...,pN) Event finding tweaks --all-sigs-per-ip (-A) : Show all sigs for ips in initial query --targeted-sigs-per-ip ARG (-T) : Look for certain sigs for ips in initial query --binary-payload ( ) : Search for packets with a binary payload --date-range ARG ( ) : Date range (date1,date2) --exclude-ip-list ARG ( ) : Exclude sigs for ip1,ip2,...,ipN --exclude-ip-src-list ARG ( ) : Exclude sigs for ip1,ip2,...,ipN in ip_src --exclude-ip-dst-list ARG ( ) : Exclude sigs for ip1,ip2,...,ipN in ip_dst --exclude-payload-filter ARG ( ) : Exclude events matching a regexp (r1,r2,..,rN) --exclude-payload-list ARG ( ) : Exclude payload patterns (p1,p2,..,pN) --exclude-port-list ARG ( ) : Exclude events containing ports (p1,p2,...,pN) --exclude-raw-payload-list ARG ( ) : Raw payload doesn't contain patterns (p1,p2,..,pN) --exclude-sig-list ARG ( ) : Exclude sigs containing patterns (p1,p2,...,pN) --exclude-tagged-packets ( ) : Exclude tagged packets --force-local ARG ( ) : Set 'local' ip to 'src' or 'dst' both are local --home-net-src ( ) : Return results where ip_src is in the HOME_NET --home-net-dst ( ) : Return results where ip_dst is in the HOME_NET --include-payload-filter ARG ( ) : Keep only events matching a regexp (r1,r2,..,rN) --interval ARG (-i) : Looks for events within the past N hours --minterval ARG (-m) : Looks for events within the past N minutes --keep-original-sigs ( ) : Search for the original sigs when using --all_sigs_per_ip (excluded by default) --min-event-count ARG ( ) : Show events with a count >= N --non-local ( ) : Ensure that src/dst adresses of events returned are not both local Display Options --desc-list-order ( ) : List events in descending order (default ascending) --order-by ARG ( ) : Select column for sorting summary queries (def: max_ts) --show-events ARG (-e) : Show NUM events per src/dst in a list (0 for unlimited). Does not set max num of events total --show-payload (-p) : Show payloads associated with events from --show-events --sig-length ARG (-l) : Sig length (default 60 chars) (def: 60) Misc --db-name ARG (-d) : Database name --db-host ARG ( ) : Database name (def: foo.server.com) ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort + HTSQL dashboard application, (continued)
- Re: Snort + HTSQL dashboard application waldo kitty (May 05)
- Re: Snort + HTSQL dashboard application Dan Ferris (May 05)
- Re: Snort + HTSQL dashboard application Martin Holste (May 05)
- Re: Snort + HTSQL dashboard application Dan Ferris (May 05)
- Re: Snort + HTSQL dashboard application Martin Holste (May 07)
- Re: Snort + HTSQL dashboard application beenph (May 07)
- Re: Snort + HTSQL dashboard application Dan Ferris (May 07)
- Re: Snort + HTSQL dashboard application Martin Holste (May 07)
- Re: Snort + HTSQL dashboard application Joel Esler (May 07)
- Re: Snort + HTSQL dashboard application Dan Ferris (May 05)
- Re: Snort + HTSQL dashboard application Jim Hranicky (May 05)
- Re: Snort + HTSQL dashboard application Lay, James (May 05)