Re: Zombie detection rules

[Paul Li <paul () scybersecurity com>]

Me agrees it's a firewall job, just tried to see if a NIST coul do anything
about it, since seems to me lots of cases could be simply (extremely)
larger traffic than usual. But agree SIEM would also be a better option.

Thanks,
Paul


On Thursday, February 16, 2017, Luke Ager <luke.ager () me com> wrote:

> I'll second this. It would be easier to use network devices as log sources
> such as Netflow and connection logs to determine patterns.
> Clearly good egress filtering is a priority and then base lining of
> permitted ports.
>
> If you have specific hosts in mind and the scope is small you could
> consider an endpoint agent also which includes network monitoring.
> LogRyhthms end point agent will support this.
>
> Failing that, arbour who are known for DDOS protection offer a product
> which uses snort but also integrates with their ddos threat intel. They
> have some techniques to detect zombies but it's based on their
> intelligence.
>
>
>
> Sent from my iPhone
>
> On 16 Feb 2017, at 09:00, Alberto Colosi <alcol () hotmail com
> <javascript:_e(%7B%7D,'cvml','alcol () hotmail com');>> wrote:
>
> Hi another approach ............. are not firewalls ?
>
>
> I can't believe all is open , zombie is a wide kind of possible activity
> and is not so easy as can be imagined.
>
>
> firewalls and uncommon authorized port usage for example during the night
> but not only .............. . All other kind of traffic will be dropped by
> firewalls and this kind of log is important too.
>
>
> a SIEM can perform this kind of check in automatic if not you'll have to
> create some scripts to inspect log files.
>
>
>
> Alberto Colosi
>
> IT Security & NetWork
>
>
>
>
> ------------------------------
> *From:* Paul Li <paul () scybersecurity com
> <javascript:_e(%7B%7D,'cvml','paul () scybersecurity com');>>
> *Sent:* Thursday, February 16, 2017 5:32 AM
> *To:* snort-users () lists sourceforge net
> <javascript:_e(%7B%7D,'cvml','snort-users () lists sourceforge net');>
> *Subject:* [Snort-users] Zombie detection rules
>
> Is there any snort rule for zombies detection: to detect if the devices
> snort is monitoring are used as zombies. Or some rules that can detect
> large outgress traffic from a monitored device would also work.
>
> Thanks,
> Paul
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> <javascript:_e(%7B%7D,'cvml','Snort-users () lists sourceforge net');>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!