[Snort-sigs] TCP sweeps
frank at ...1978...
Mon Dec 13 07:47:05 EST 2004
On Mon, 2004-12-13 at 09:04, Hazel, Scott A. wrote:
> We have dealt with similar issues here using Dragon. I know the platform is
> different but we applied the same approach. I called them spike alerts and
> started closer to 500 in 60 seconds.
An alternative approach would be to use a dark-net, or a dark-segment as
I like to call it. Take an unused IP range and monitor that with an IDS.
If the IDS isn't sitting on a gateway link to that net, use LaBrea to
attract packets for those IP's to the IDS. Then use the rules Michael
Boman re-posted recently to detect access to unused IP address space:
var UNUSED [x.x.x.x,y.y.y.y] # List your unused IP's here
alert tcp any any -> $UNUSED any (msg:"TCP Port Scan";)
alert udp any any -> $UNUSED any (msg:"UDP Port Scan";)
alert icmp any any -> $UNUSED any (msg:"ICMP Scan";)
The advantage of this approach is that you can trigger on the first
packet (make sure you exclude broadcast/multicast packets as well as
DHCP/bootp discovery/response packets and stuff like that). Especially
if you react with systems like Snortsam, being able to do that on the
first packet is important.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-sigs