[Snort-sigs] Sig for counting packets?
bthaler at ...572...
bthaler at ...572...
Fri Aug 9 06:28:05 EDT 2002
Now that I'm reading the user's manual a little more in-depth :), can't this (or something close) be done with the "tag" keyword?
For instance, something like
alert tcp $SMTP 25 -> $EXTERNAL_NET any (msg:"*** SMTP 550 (Spam Attempt) ***"; content:"550 unknown user"; tag: host, 100, packets;
If I'm understanding this correctly, it would be up to me to figure out what the next 100 "tagged" packets mean, right? Now if
someone just got hold of a bad email address, in a perfect world there most likely would not be another 100 packets from this host.
On the other hand, if someone was brute-forcing the SMTP server as described earlier, there would almost certainly be another 100
packets to log, and probably a lot more.
Am I totally off-base here or what? Please forgive me, for I know nothing (almost) of writing rules.
----- Original Message -----
From: "Chris Green" <cmg at ...435...>
To: <bthaler at ...572...>
Cc: <snort-sigs at lists.sourceforge.net>
Sent: Friday, August 09, 2002 8:51 AM
Subject: Re: [Snort-sigs] Sig for counting packets?
> <bthaler at ...572...> writes:
> > Is it possible to create a rule that will only alert when it receives
> > x packets from the specified host?
> That's not what you're really asking. The underlying support for
> alerting on 10 packets recieved from HOST x is there. You want alert
> > My problem is this: I have a rule, that will naturally generate false
> > positives. The distinction between a false positive and a true
> > positive is the number of packets received, not the content of any
> > specific packet.
> > To clarify, the rule alerts on the string "550 unknown user" outbound
> > from $SMTP. The rule is in place to detect attempts to spam our
> > users. A single host receiving a single "550 unknown user" from $SMTP
> > wouldn't be a problem. Most likely, someone just had a bad email
> > address. But a brute-force type of attack, designed to find valid
> > email addresses on the server would generate many "550 unknown user"
> > messages, all being sent to the same host.
> Steve Halligan did something like this once. The underlying support
> needed for this is an Entity structure in snort with references to
> what has gone off and who has this entity talked to.
> If anyone has great Many->Many datastructure references, I'm all ears
> Chris Green <cmg at ...435...>
> Warning: time of day goes back, taking countermeasures.
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs