Snort mailing list archives
Re: Zombie detection rules
From: Paul Li <paul () scybersecurity com>
Date: Thu, 16 Feb 2017 09:42:26 -0500
Me agrees it's a firewall job, just tried to see if a NIST coul do anything about it, since seems to me lots of cases could be simply (extremely) larger traffic than usual. But agree SIEM would also be a better option. Thanks, Paul On Thursday, February 16, 2017, Luke Ager <luke.ager () me com> wrote:
I'll second this. It would be easier to use network devices as log sources such as Netflow and connection logs to determine patterns. Clearly good egress filtering is a priority and then base lining of permitted ports. If you have specific hosts in mind and the scope is small you could consider an endpoint agent also which includes network monitoring. LogRyhthms end point agent will support this. Failing that, arbour who are known for DDOS protection offer a product which uses snort but also integrates with their ddos threat intel. They have some techniques to detect zombies but it's based on their intelligence. Sent from my iPhone On 16 Feb 2017, at 09:00, Alberto Colosi <alcol () hotmail com <javascript:_e(%7B%7D,'cvml','alcol () hotmail com');>> wrote: Hi another approach ............. are not firewalls ? I can't believe all is open , zombie is a wide kind of possible activity and is not so easy as can be imagined. firewalls and uncommon authorized port usage for example during the night but not only .............. . All other kind of traffic will be dropped by firewalls and this kind of log is important too. a SIEM can perform this kind of check in automatic if not you'll have to create some scripts to inspect log files. Alberto Colosi IT Security & NetWork ------------------------------ *From:* Paul Li <paul () scybersecurity com <javascript:_e(%7B%7D,'cvml','paul () scybersecurity com');>> *Sent:* Thursday, February 16, 2017 5:32 AM *To:* snort-users () lists sourceforge net <javascript:_e(%7B%7D,'cvml','snort-users () lists sourceforge net');> *Subject:* [Snort-users] Zombie detection rules Is there any snort rule for zombies detection: to detect if the devices snort is monitoring are used as zombies. Or some rules that can detect large outgress traffic from a monitored device would also work. Thanks, Paul ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <javascript:_e(%7B%7D,'cvml','Snort-users () lists sourceforge net');> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Zombie detection rules Paul Li (Feb 15)
- Re: Zombie detection rules Alberto Colosi (Feb 16)
- Re: Zombie detection rules Luke Ager (Feb 16)
- Re: Zombie detection rules Paul Li (Feb 16)
- Re: Zombie detection rules Luke Ager (Feb 16)
- Re: Zombie detection rules Jones, Christopher (Chris) (Maj) (Feb 16)
- <Possible follow-ups>
- Re: Zombie detection rules Jack Pepper (Feb 16)
- Re: Zombie detection rules Alberto Colosi (Feb 16)