Snort mailing list archives
Re: Specific rule for bandwidth
From: Gabriel Corre <gabriel.corre () fr clara net>
Date: Wed, 16 Sep 2015 12:48:42 +0000
Well, I did not succeed to create this type of rule so I used the Performance Monitor to perform a post-analysis of the
bandwidth per IP.
Here is what I use in my "snort.conf" :
preprocessor perfmonitor: time 30 pktcnt 1000 flow-ip-file flow-ip-file.csv
Here is a Perl script to organize properly the csv file : (Comments are in French sorry =D)
#!/usr/bin/perl
use strict;
use warnings;
use Text::CSV;
################## Déclaration des variables ##################
my $ip_A = "IP A";
my $ip_B = "IP B";
# TCP
my $tcp_pkt_A_to_B = "TCP pkt A->B";
my $tcp_bytes_traffic_A_to_B = "TCP Bytes traffic A->B";
my $tcp_pkt_B_to_A = "TCP pkt B->A";
my $tcp_bytes_traffic_B_to_A = "TCP Bytes traffic B->A";
#UDP
my $udp_pkt_A_to_B = "UDP pkt A->B";
my $udp_bytes_traffic_A_to_B = "UDP Bytes traffic A->B";
my $udp_pkt_B_to_A = "UDP pkt B->A";
my $udp_bytes_traffic_B_to_A = "UDP Bytes traffic B->A";
#Other
my $other_pkt_A_to_B = "OTHER IP pkt A->B";
my $other_bytes_traffic_A_to_B = "OTHER IP Bytes traffic A->B";
my $other_pkt_B_to_A = "OTHER IP pkt B->A";
my $other_bytes_traffic_B_to_A = "OTHER IP Bytes traffic B->A";
#Session
my $tcp_session_established = "TCP sessions established";
my $tcp_session_closed = "TCP sessions closed";
my $udp_session_created = "UDP sessions created";
################## Ouverture des flux ##################
open(my $FILESOURCE, "<", "flow-ip-file.csv") or die("ouverture impossible");
open(my $FILEFORMAT, ">", "Analyze_ip_snort.csv");
#open(my $FILEFORMAT, ">", "test.csv");
my $csv = Text::CSV->new ({
binary => 1, # Autorise les caractères spéciaux
auto_diag => 1, # Indique les problèmes imédiatement
});
################## Ecriture dans le nouveau fichier ##################
$csv->getline($FILESOURCE); # 1ere ligne statique
my $header = "\"" .
$ip_A . "\";\"" .
$ip_B . "\";\"" .
$tcp_pkt_A_to_B . "\";\"" .
$tcp_bytes_traffic_A_to_B . "\";\"" .
$tcp_pkt_B_to_A . "\";\"" .
$tcp_bytes_traffic_B_to_A . "\";\"" .
$udp_pkt_A_to_B . "\";\"" .
$udp_bytes_traffic_A_to_B . "\";\"" .
$udp_pkt_B_to_A . "\";\"" .
$udp_bytes_traffic_B_to_A . "\";\"" .
$other_pkt_B_to_A . "\";\"" .
$other_bytes_traffic_A_to_B . "\";\"" .
$other_pkt_B_to_A . "\";\"" .
$other_bytes_traffic_B_to_A . "\";\"" .
$tcp_session_established . "\";\"" .
$tcp_session_closed . "\";\"" .
$udp_session_created . "\"\n";
print $FILEFORMAT $header;
my $line;
while (my $row = $csv->getline($FILESOURCE)) {
$line = "\"" .
$row->[0] . "\";\"" . # IP A
$row->[1] . "\";\"" . # IP B
$row->[2] . "\";\"" . # TCP pkt from A to B
$row->[3] . "\";\"" . # TCP Bytes traffic from A to B
$row->[4] . "\";\"" . # TCP pkt from B to A
$row->[5] . "\";\"" . # TCP Bytes traffic from B to A
$row->[6] . "\";\"" . # UDP pkt from A to B
$row->[7] . "\";\"" . # UDP Bytes traffic from A to B
$row->[8] . "\";\"" . # UDP pkt from B to A
$row->[9] . "\";\"" . # UDP Bytes traffic from B to A
$row->[10] . "\";\"" . # OTHER pkt from A to B
$row->[11] . "\";\"" . # OTHER Bytes traffic from A to B
$row->[12] . "\";\"" . # OTHER pkt from B to A
$row->[13] . "\";\"" . # OTHER Bytes traffic from B to A
$row->[14] . "\";\"" . # TCP Sessions established
$row->[15] . "\";\"" . # TCP Sessions closed
$row->[16] . "\"\n"; # UDP Sessions created
print $FILEFORMAT $line;
}
close($FILESOURCE);
In case it is not working, use : "perl -d" for debug ;)
Cheers,
Gabriel C.
-----Message d'origine-----
De : Gabriel Corre
Envoyé : mardi 15 septembre 2015 17:31
À : Davis McPherson (davmcphe) <davmcphe () cisco com>; snort-users () lists sourceforge net
Objet : RE: [Snort-users] Specific rule for bandwidth
To be more precise, is it possible to fire an alert when a certain amount of data is transfered in a specific time
interval?
-----Message d'origine-----
De : Gabriel Corre [mailto:gabriel.corre () fr clara net]
Envoyé : mardi 15 septembre 2015 17:14
À : Davis McPherson (davmcphe) <davmcphe () cisco com>; snort-users () lists sourceforge net Objet : Re: [Snort-users]
Specific rule for bandwidth
Ok, then it also means I cannot control data transfer in real time with stream_size, right?
Do you know if there is another way?
-----Message d'origine-----
De : Davis McPherson (davmcphe) [mailto:davmcphe () cisco com] Envoyé : mardi 15 septembre 2015 16:47 À : snort-users
() lists sourceforge net Objet : Re: [Snort-users] Specific rule for bandwidth
The stream size option is evaluated on packets when a rule is evaluated. The current stream size is computed by
subtracting the current 'next seq' from the ISN (or vice-versa to handle wrapping). The value is computed for the
server and client directions and then comparison is done for the directions specified by the rule against the threshold
value in the rule using the comparison operator defined by the rule. There is no reset if the rule is triggered, so
the stream size is a count of the number of bytes observed on the stream.
-davis mcpherson
-------- Forwarded Message --------
Subject: [Snort-users] Specific rule for bandwidth
Date: Tue, 15 Sep 2015 07:24:11 +0000
From: Gabriel Corre <gabriel.corre () fr clara net><mailto:gabriel.corre () fr clara net>
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> <snort-users () lists
sourceforge net><mailto:snort-users () lists sourceforge net>
Hello,
I would like to use "stream_size" as a bandwidth controller. Thus I created this rule to test its functionality:
alert tcp EXTERNAL_NET any -> HOME_NET any (msg:"WARNING! Session bandwidth > 8 bytes"; stream_size:both,>,8";
sid:1000000001;) I would like to know if "stream_size" is reset when the alert is triggered or it still count the
number of bytes observed?
The doc says : "The stream size keyword allows a rule to match traffic according to the number of bytes observed, as
determined by the TCP sequence numbers." It doesn't pinpoint this aspect and I'm not about my bandwidth test.
Regards,
--
Gabriel Corré
Élève Ingénieur Sécurité & Réseaux, Ops - Core Infrastructure
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Specific rule for bandwidth Gabriel Corre (Sep 15)
- Message not available
- Re: Specific rule for bandwidth Davis McPherson (davmcphe) (Sep 15)
- Re: Specific rule for bandwidth Gabriel Corre (Sep 15)
- Re: Specific rule for bandwidth Gabriel Corre (Sep 15)
- Re: Specific rule for bandwidth Gabriel Corre (Sep 16)
- Re: Specific rule for bandwidth Davis McPherson (davmcphe) (Sep 15)
- Message not available