[Snort-sigs] TCP sweeps

Hazel, Scott A. Scott.Hazel at ...2928...
Mon Dec 13 07:06:02 EST 2004


We have dealt with similar issues here using Dragon.  I know the platform is
different but we applied the same approach. I called them spike alerts and
started closer to 500 in 60 seconds.  For segments containing MS DC's,
setting it as low as 50 still gave us a high FP rate.  Seems like non-DC
segments would be fine at 50/min. 

Scott Hazel
Security Operations Center
Unisys
scott.hazel at ...2928...


-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Matt Jonkman
Sent: Monday, December 13, 2004 9:51 AM
To: 'eltra1n'; snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] TCP sweeps

We just recently had a similar discussion on the Bleedingsnort site.

http://www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=363


We decided in local testing these rules would be of significant value, but
they're not something we can have turned on in a default ruleset. It would
have to be left to each local admin to make the decision which rules are
good for their net, and more specifically what sensors they'd be able to run
which on.

I will make us the rules for this, but they'll be disabled by default in the
bleeding rules. You'll have to specifically decide locally where they should
go. I'll have this posted in just a few minutes. The rules going up are:

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE Behavioral
Unusual Port 445 traffic, Potential Scan or Infection";
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001569;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE Behavioral
Unusual Port 139 traffic, Potential Scan or Infection";
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001579;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE Behavioral
Unusual Port 137 traffic, Potential Scan or Infection";
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001580;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE Behavioral
Unusual Port 135 traffic, Potential Scan or Infection";
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001581;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE Behavioral
Unusual Port 1434 traffic, Potential Scan or Infection";
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001582;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE Behavioral
Unusual Port 1433 traffic, Potential Scan or Infection";
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001583;
rev:1;)

Any suggestions on other ports to watch in this manner?

50 connections in 1 minute, that reasonable to cut out falses but still see
an infection?

Matt


> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of eltra1n
> Sent: Thursday, December 09, 2004 5:27 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] TCP sweeps
> 
> I had a user log on to my remote access VPN, the users machine was 
> doing TCP-sweeps on port 445 and I think it may have been infected 
> with MS Blaster. Does anyone have a suggestion on how I can detect 
> this type of traffic with Snort. I am thinking of writing a sig that 
> looks for port 445 traffic and setting a very high threshold, it would 
> be nice to to re-invent the wheel though. Thanks in advance.
> 
> --
> Lawerence A. Wichman
> 2719 W Thomas Apt 2
> Chicago, Il 60622
> 773-807-7606
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide Read honest & candid 
> reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now. 
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6457 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20041213/a3809fae/attachment.bin>


More information about the Snort-sigs mailing list