[Snort-sigs] Sig for counting packets?

bthaler at ...572... bthaler at ...572...
Fri Aug 9 06:28:05 EDT 2002

Now that I'm reading the user's manual a little more in-depth :), can't this (or something close) be done with the "tag" keyword?

For instance, something like

alert tcp $SMTP 25 -> $EXTERNAL_NET any (msg:"*** SMTP 550 (Spam Attempt) ***"; content:"550 unknown user"; tag: host, 100, packets;

If I'm understanding this correctly, it would be up to me to figure out what the next 100 "tagged" packets mean, right?  Now if
someone just got hold of a bad email address, in a perfect world there most likely would not be another 100 packets from this host.
On the other hand, if someone was brute-forcing the SMTP server as described earlier, there would almost certainly be another 100
packets to log, and probably a lot more.

Am I totally off-base here or what?  Please forgive me, for I know nothing (almost) of writing rules.


Brad T.

----- Original Message -----
From: "Chris Green" <cmg at ...435...>
To: <bthaler at ...572...>
Cc: <snort-sigs at lists.sourceforge.net>
Sent: Friday, August 09, 2002 8:51 AM
Subject: Re: [Snort-sigs] Sig for counting packets?

> <bthaler at ...572...> writes:
> > Is it possible to create a rule that will only alert when it receives
> > x packets from the specified host?
> That's not what you're really asking.  The underlying support for
> alerting on 10 packets recieved from HOST x is there.  You want alert
> thresholds.
> > My problem is this: I have a rule, that will naturally generate false
> > positives.  The distinction between a false positive and a true
> > positive is the number of packets received, not the content of any
> > specific packet.
> >
> > To clarify, the rule alerts on the string "550 unknown user" outbound
> > from $SMTP.  The rule is in place to detect attempts to spam our
> > users.  A single host receiving a single "550 unknown user" from $SMTP
> > wouldn't be a problem.  Most likely, someone just had a bad email
> > address.  But a brute-force type of attack, designed to find valid
> > email addresses on the server would generate many "550 unknown user"
> > messages, all being sent to the same host.
> Steve Halligan did something like this once. The underlying support
> needed for this is an Entity structure in snort with references to
> what has gone off and who has this entity talked to.
> If anyone has great Many->Many datastructure references, I'm all ears
> :)
> --
> Chris Green <cmg at ...435...>
> Warning: time of day goes back, taking countermeasures.
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list