[Snort-sigs] rules for physical intruders

adam_peterson at ...2065... adam_peterson at ...2065...
Thu Dec 11 15:36:25 EST 2003


i've come up with some rules to detect dhcp requests from machines that 
are not named using our naming standard and are therefore probably not 
machines we want on our network.  i've also come up with a rule to pick up 
ms active directory requests (ldap) for domains that are not ours as this 
is one of the first things a win2k+ machine does when it gets an ip.

my question is, has anyone else created simliar rules in hopes of catching 
consultants/visitors who decide it's okay to connect their machine to the 
network, contrary to corporate policy?  i'm struggling to come up with 
more than what i have, which is:

this rule detects LDAP traffic with "DC=" in it, which I think only MS 
uses, but that doesn't contain "splwg" so it would see any Active 
Directory requests to domains other than splwg.com:

alert tcp any 389 -> $HOME_NET any (msg:"Unauthorized LDAP\
Traffic!";content:"|44 43 3d|"; content:!"|73 70 6c 77 67|"; \
sid:1000000; classtype:SPL-policy-violation;)

this rule detects DHCP traffic to machines requesting and getting IP's 
that do not have "spl" in their name.  this covers machinename.splwg.com and spl-loc-w111, both of which could be valid machine names.

alert udp !$DHCP_SERVERS 68 -> any 67 (msg:"Unauthorized DHCP Traffic!";\
content:"|63 82 53 63 35 01|";content:!"|73 70 6c 77 67|"; \
content:!"|53 50 4C|"; sid:1000000; classtype:SPL-policy-violation;)

note that I'm not trying to create rules to catch someone who is trying to 
hide - i'll leave that up to the real rule creators - just someone 
breaking our policies by connecting an unauthorized machine.  any 
help/advice is greatly appreciated!

Adam Peterson | Senior WAN Engineer | SPL WorldGroup | 
adam_peterson at ...2065...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031211/87d45530/attachment.html>


More information about the Snort-sigs mailing list