Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Trying to detect a ping sweep

From: "lists () packetmail net" <lists () packetmail net>
Date: Tue, 3 Apr 2012 17:35:33 -0500
On 04/03/12 16:30, Aaron Evers wrote:

Greetings,

I am trying to configure snort 2.9.1.2 to detect a variety of network
discovery traffic.  I'd like to be able to detect a ping sweep in the
following manner:  a source address sends icmp echo requests to x number of
unique destination addresses over x period of time.

For example, a host that sends 10 pings to a single destination address
over the course of 60 seconds does not generate an alert, but a host that
sends 10 pings, each to a different destination address over the course of
60 seconds does generate an alert.  Is this possible?  I haven't been able
to find a way with the online manual.


Hi Aaron, while completely untested, perhaps leveraging threshold and flowbits
would give you an acceptable solution.  I'm doing something similar but using
Perl and hashes across multiple SIDs to generate threshold analysis.  Since
you're wanting to constrain this to ICMP echo-request I might would try:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"CUSTOM_RULES NOALERT
Incoming ICMP Echo Request"; itype:8; flowbits:set,custom.psweep;
flowbits:noalert; threshold:type limit, track by_src, count 10, seconds 60;
classtype:icmp-event; sid:x; rev:1;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"CUSTOM_RULES ALERT Incoming
ICMP Echo Request Sweep to Multiple Hosts"; itype:8;
flowbit:isset,custom.psweep; classtype:icmp-event; threshold:type limit, track
by_dst, count 1, seconds 60;  sid:x; rev:1;)

I'm not certain this is 100% correct but hopefully it gives you some ideas or at
least points you into the right direction.  Hopefully others may be able to assist.

Thanks,
Nathan


------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: