[Snort-devel] New feature wanted: Locate the bad guy?

Martin Olsson elof at ...969...
Mon Jun 23 04:02:13 EDT 2003

On Sun, 22 Jun 2003 guano at ...2048... wrote:
> I read your posting in snort-devel.
> You might want to take a look at my snort detection engine "uninvited".
> I believe it will handle your requirement for directions:
> alert tcp any any -> any any (uninvited; msg:"Attack"; content:"cmd.exe";)
> alert tcp any any -> any any (uninvited; msg:"Response"; content:"\WINNT\system32";)
> This assumes that the "cmd.exe" source should NEVER come from your firewall.
> If you initiate the attack, then it will not trigger an alert.
> But if someone else triggers the attack, then it will trigger the alert.

Sorry, this was not what I was asking for.
I want ACID to report the most common attackers and the most common
targets. This is not the same thing as listing the most common source
addresses and destination addresses. This is due to the fact that some of
the snort rules match on _responses_ rather than the requests. The source
IP of response packets is not the attackers IP, it's the target
machine replying back to the attacker. Hence, this source IP should not be
put in the same list as the source IP:s of all the attack requests.

In order for ACID, SnortCenter and other reporting tools to create a
correct list of sources and targets, you need to label each rule with some
information regarding wether it's a queary or response.

In my original posting I labeled the rules based on where an attacker was
supposed to be:
S = The source address is the bad guy (he wants to run cmd.exe)
D = The destination address is the bad guy (the source address is replying
    with a DOS-prompt)
A = Any of the two (for rules with the direction <>, and for rules that
    just log packets with no particular options)

One could exchange this with labels indicating the type of the packet:
Q = This is a queary
R = This is a response
A = Any of the two

This is exactly the same thing as above, only the word "bad guy" or
"attacker" has been removed. This might be preferable.

Once again:
The reason why I want to log this label in the alert is for the operator
to immediately understand in what direction the packet was going when
captured. Also when making reports, you need this label in order to
categorize the alerts correctly.

Hmmm, only one reply to my posting... Am I really the only one who think
this is a nice idea? There must be hundreds of reports built every day
with misleading information and statistics.


More information about the Snort-devel mailing list