[Snort-sigs] TCP sweeps

Matt Jonkman matt at ...2436...
Mon Dec 13 06:52:01 EST 2004


We just recently had a similar discussion on the Bleedingsnort site.

http://www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=363


We decided in local testing these rules would be of significant value, 
but they're not something we can have turned on in a default ruleset. It 
would have to be left to each local admin to make the decision which 
rules are good for their net, and more specifically what sensors they'd 
be able to run which on.

I will make us the rules for this, but they'll be disabled by default in
the bleeding rules. You'll have to specifically decide locally where 
they should go. I'll have this posted in just a few minutes. The rules 
going up are:

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE
Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; 
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001569; 
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE
Behavioral Unusual Port 139 traffic, Potential Scan or Infection"; 
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001579; 
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE
Behavioral Unusual Port 137 traffic, Potential Scan or Infection"; 
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001580; 
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE
Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; 
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001581; 
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE
Behavioral Unusual Port 1434 traffic, Potential Scan or Infection"; 
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001582;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE
Behavioral Unusual Port 1433 traffic, Potential Scan or Infection"; 
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001583;
rev:1;)

Any suggestions on other ports to watch in this manner?

50 connections in 1 minute, that reasonable to cut out falses but still
see an infection?

Matt


> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net 
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of eltra1n
> Sent: Thursday, December 09, 2004 5:27 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] TCP sweeps
> 
> I had a user log on to my remote access VPN, the users machine was
> doing TCP-sweeps on port 445 and I think it may have been infected
> with MS Blaster. Does anyone have a suggestion on how I can detect
> this type of traffic with Snort. I am thinking of writing a sig that
> looks for port 445 traffic and setting a very high threshold, it would
> be nice to to re-invent the wheel though. Thanks in advance.
> 
> -- 
> Lawerence A. Wichman
> 2719 W Thomas Apt 2
> Chicago, Il 60622
> 773-807-7606
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from 
> real users.
> Discover which products truly live up to the hype. Start reading now. 
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 3442 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20041213/3868b887/attachment.bin>


More information about the Snort-sigs mailing list