Snort mailing list archives
Re: Now how to launch my scan
From: "Mark W. Jeanmougin via Snort-users" <snort-users () lists snort org>
Date: Thu, 31 May 2018 08:46:44 -0400
Hey Dorian, I'm guessing that you're posting on an English language email list but that English is not your primary language. I'll try to be extra clear. :) I created my scanner in bro, not snort. This topic may not be appropriate for this mailing list, but I'll post anyway. Every security professional uses the best tool for the job. I hope to inspire collaboration and encourage everyone to improve their situation. After I talk about how I did my work in bro, I'll talk about how snort could do something similar. I have Security Onion running snort, bro, and all the rest. It is watching the link between my user network and the dhcp server in the data center. bro logs every dhcp packet. In the dhcp requests, it logs source MAC address, hostname, and other fields. In the dhcp responses from the server, it logs the IP address of the dhcp server, and other fields. It let Security Onion run for a few days building up logs. Then, I analyzed the logs looking for bad dhcp servers. I created a text file containing the IP addresses of my legitimate dhcp servers. Then, I created a script to parse the bro logs looking for responses from dhcp servers that were not on the whitelist. I configured cron to run the script hourly. This is a high fidelity alert. Next, I created a textfile containing the regular expressions that describe the hostname naming standard for our machines. I created a script to parse the bro logs looking for requests to dhcp servers that were not on the whitelist. I configured cron to run the script hourly. This is a high fidelity alert. I also created a textfile whitelist containing all the user workstation names. I created a script to parse the bro logs looking for requests to dhcp servers that were not on the whitelist. I configured cron to run the script hourly. This is a low fidelity alert. My next step is to parse the conn log looking for activity from IP's that don't have an associated dhcp request. We had a penetration test where they guessed an IP address in the local network since they knew we were watching for dhcp activity. In snort, I'd define a variable containing all of my dhcp servers. I'd call it DHCP_SERVERS. Then, create an alert looking for dhcp responses where the source ip was !$DHCP_SERVERS. Good luck, Dorian. I don't consider these techniques "introductory level". In my humble opinion, these are advanced ideas. Back to my day job, Mark Jeanmougin On Wed, May 30, 2018 at 1:11 PM Dorian ROSSE <dorianbrice () hotmail fr> wrote:
Dear IT Community, You went to leave my computer and I successfulled to do a fully update / upgrade of my server also how to launch the scan which deplyoed’s Mark ? Thank you in advance to take this ticket again, Regards. Dorian ROSSE. _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Now how to launch my scan Dorian ROSSE (May 30)
- Re: Now how to launch my scan Mark W. Jeanmougin via Snort-users (May 31)