I'm learning to write snort rules. Wow, some are really straight forward, and some are "out there."
It occurred to me that Snort is really busy -- after going through some of the thousands of signatures. (yes, I know, don't run the ones you don't have to.)
Is anyone aware of efforts to setup a rule-set that will monitor traffic that your network is *supposed* to be doing -- and flag on anything that it sees out of the ordinary? Kinda like a “reverse application” of the filtering scheme. It seems to me, that rather than looking for the possible thousands of signatures, hoping you have one to detect the event, it might be easier to ignore the allowed traffic and flag on any unusual stuff -- like the dude trying to run the SSH shell through port 80, or IRC on an “un-authorized” port.
How would you go about writing such a rule that says "this SSH traffic on this box is OK, flag all others" ?
This may be a good way to help detect covert channels – or a good way to fill your logs with a billion false-positives…
Just a thought...
July 2nd, 2007, 11:11 PM
create a variable in your snort.conf for you ssh boxes
var SSH_SERVERS [10.10.1.1/32,10.10.1.2/32,10.10.1.84/32]
create a rule, local.rules is a good place.
alert tcp any any -> !$SSH_SERVERS 22 (msg:"Some crazy SSH traffic on non-SSH server";)
You could get fancy and check the content to make sure it is true SSH traffic and not just something hitting port 22. But there is a quick and lazy way to do what you want.