Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rule to match all non-HTTP traffic

From: "Stephen Teti" <steti () monmouth com>
Date: Mon, 18 Nov 2013 08:51:29 -0500
Hello,

I'm having some trouble figuring out how to write two separate rules - one to match HTTP or HTTPS traffic (based solely 
on source port number) and another rule to match everything else.  The purpose of these rules is to act as a very 
simple warning of a possible DoS attack, based only on the number of packets per second directed at a particular IP 
address.  I initially had a single rule that would fire an alert if it observed more than 50,000 packets over 5 seconds 
directed to a single IP address:

alert ip !$HOME_NET -> $HOME_NET any (msg:"PossibleDoS"; flow: stateless; detection_filter: track by_dst, count 50000, 
seconds 5; sid:1000001;rev:1;)
event_filter gen_id 1, sig_id 1000001, type limit, track by_dst, count 1, seconds 60

This worked well for my purposes, but requirements have changed and I need to have different limits for HTTP traffic vs 
other traffic.  My rule config now looks like this (/etc/snort/rules/local.rules):

# TCP, not HTTP or HTTPS
alert tcp !$HOME_NET [!80,!443] -> $HOME_NET any (msg:"PossibleTcpDoS"; flow: stateless; detection_filter: track 
by_dst, count 50000, seconds 5; sid:1000001;rev:1;)
event_filter gen_id 1, sig_id 1000001, type limit, track by_dst, count 1, seconds 60

# HTTP or HTTPS
alert tcp !$HOME_NET [80,443] -> $HOME_NET any (msg:"PossibleHttpDoS"; flow: stateless; detection_filter: track by_dst, 
count 100000, seconds 5; sid:1000002;rev:1;)
event_filter gen_id 1, sig_id 1000002, type limit, track by_dst, count 1, seconds 60

# UDP
alert udp !$HOME_NET any -> $HOME_NET any (msg:"PossibleUdpDoS"; detection_filter: track by_dst, count 50000, seconds 
5; sid:1000003;rev:1;)
event_filter gen_id 1, sig_id 1000003, type limit, track by_dst, count 1, seconds 60

# Other IP
alert ip !$HOME_NET [!80,!443] -> $HOME_NET any (msg:"PossibleIpDoS"; flow: stateless; detection_filter: track by_dst, 
count 50000, seconds 5; sid:1000004;rev:1;)
event_filter gen_id 1, sig_id 1000004, type limit, track by_dst, count 1, seconds 60

This doesn't seem to do what I'm intending though - I received an alert this morning for the "PossibleIpDos" rule that 
was triggered by HTTP traffic.  It appears that the traffic passed the first 3 rules but tripped the alert on the 
fourth rule.  Here is the output from my alert log (IP addresses changed to protect the innocent):

11/18-07:03:40.426861  [**] [1:1000004:1] PossibleIpDoS [**] [Priority: 0] {TCP} 198.51.100.1:80 -> 192.0.2.1:21502

My snort version and snort.conf is included below.  Any help would be appreciated.

Thanks,
Steve Teti
steti () monmouth com

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0.3 IPv6 GRE (Build 98) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 6.6 06-Feb-2006
           Using ZLIB version: 1.2.3

snort.conf:

ipvar HOME_NET [64.19.128.0/18,207.232.64.0/20,209.191.0.0/18]
ipvar EXTERNAL_NET any
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config checksum_mode: all
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
config detection: search-method ac-split search-optimize max-pattern-len 20
config event_queue: max_queue 8 log 3 order_events content_length
dynamicpreprocessor directory /usr/lib/snort-2.9.0.3_dynamicpreprocessor
dynamicengine /usr/lib/snort-2.9.0.3_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/lib/snort-2.9.0.3_dynamicrules
output alert_syslog: LOG_AUTH LOG_ALERT
include classification.config
include reference.config
include $RULE_PATH/local.rules
include threshold.conf

classification.config:

config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2
config classification: sdf,Senstive Data,2

reference.config:

config reference: bugtraq   http://www.securityfocus.com/bid/ 
config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
config reference: arachNIDS http://www.whitehats.com/info/IDS
config reference: osvdb     http://osvdb.org/show/osvdb/
config reference: McAfee    http://vil.nai.com/vil/content/v_
config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url       http://

local.rules: included above in body of mail

threshold.conf: empty file

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: