-
June 26th, 2007, 08:54 PM
#1
writing Snort rules
I'm learning to write snort rules. Wow, some are really straight forward, and some are "out there."
It occurred to me that Snort is really busy -- after going through some of the thousands of signatures. (yes, I know, don't run the ones you don't have to.)
Is anyone aware of efforts to setup a rule-set that will monitor traffic that your network is *supposed* to be doing -- and flag on anything that it sees out of the ordinary? Kinda like a “reverse application” of the filtering scheme. It seems to me, that rather than looking for the possible thousands of signatures, hoping you have one to detect the event, it might be easier to ignore the allowed traffic and flag on any unusual stuff -- like the dude trying to run the SSH shell through port 80, or IRC on an “un-authorized” port.
How would you go about writing such a rule that says "this SSH traffic on this box is OK, flag all others" ?
This may be a good way to help detect covert channels – or a good way to fill your logs with a billion false-positives…
Just a thought...
-
July 2nd, 2007, 10:11 PM
#2
create a variable in your snort.conf for you ssh boxes
Code:
var SSH_SERVERS [10.10.1.1/32,10.10.1.2/32,10.10.1.84/32]
create a rule, local.rules is a good place.
Code:
alert tcp any any -> !$SSH_SERVERS 22 (msg:"Some crazy SSH traffic on non-SSH server";)
You could get fancy and check the content to make sure it is true SSH traffic and not just something hitting port 22. But there is a quick and lazy way to do what you want.
-
July 12th, 2007, 07:34 PM
#3
thanks
cool. Thanks. didn't think of a big ol' NOT...
will try it out.
Similar Threads
-
By phishphreek in forum IDS & Scanner Discussions
Replies: 0
Last Post: April 10th, 2006, 07:23 PM
-
By phishphreek in forum Spyware / Adware
Replies: 2
Last Post: November 16th, 2005, 09:28 PM
-
By qod in forum The Security Tutorials Forum
Replies: 6
Last Post: February 27th, 2004, 03:03 AM
-
By qod in forum The Security Tutorials Forum
Replies: 3
Last Post: January 25th, 2004, 11:47 PM
-
By vescovono in forum IDS & Scanner Discussions
Replies: 1
Last Post: April 17th, 2003, 10:50 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|