[Snort-sigs] TCP sweeps

Frank Knobbe frank at ...1978...
Mon Dec 13 07:47:05 EST 2004

On Mon, 2004-12-13 at 09:04, Hazel, Scott A. wrote:
> We have dealt with similar issues here using Dragon.  I know the platform is
> different but we applied the same approach. I called them spike alerts and
> started closer to 500 in 60 seconds. 

An alternative approach would be to use a dark-net, or a dark-segment as
I like to call it. Take an unused IP range and monitor that with an IDS.
If the IDS isn't sitting on a gateway link to that net, use LaBrea to
attract packets for those IP's to the IDS. Then use the rules Michael
Boman re-posted recently to detect access to unused IP address space:

var UNUSED [x.x.x.x,y.y.y.y]  # List your unused IP's here
alert tcp any any -> $UNUSED any (msg:"TCP Port Scan";)
alert udp any any -> $UNUSED any (msg:"UDP Port Scan";)
alert icmp any any -> $UNUSED any (msg:"ICMP Scan";)

The advantage of this approach is that you can trigger on the first
packet (make sure you exclude broadcast/multicast packets as well as
DHCP/bootp discovery/response packets and stuff like that). Especially
if you react with systems like Snortsam, being able to do that on the
first packet is important.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20041213/9ce87abf/attachment.sig>

More information about the Snort-sigs mailing list