[Snort-sigs] TCP sweeps

Matt Jonkman mjonkman at ...2436...
Tue Dec 14 05:58:01 EST 2004


We just recently had a similar discussion on the Bleedingsnort site.

http://www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=363 


We decided in local testing these rules would be of significant value, but
they're not something we can have turned on in a default ruleset. It would
have to be left to each local admin to make the decision which rules are
good for their net, and more specifically what sensors they'd be able to run
which on.

I will make us the rules for this, but they'll be disabled by default in the
bleeding rules. You'll have to specifically decide locally where they should
go. I'll have this posted in just a few minutes. The rules going up are:

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE Behavioral
Unusual Port 445 traffic, Potential Scan or Infection"; thresho
ld: type limit, track by_src, count 50 , seconds 60; sid:2001569; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE Behavioral
Unusual Port 139 traffic, Potential Scan or Infection"; thresho
ld: type limit, track by_src, count 50 , seconds 60; sid:2001579; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE Behavioral
Unusual Port 137 traffic, Potential Scan or Infection"; thresho
ld: type limit, track by_src, count 50 , seconds 60; sid:2001580; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE Behavioral
Unusual Port 135 traffic, Potential Scan or Infection"; thresho
ld: type limit, track by_src, count 50 , seconds 60; sid:2001581; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE Behavioral
Unusual Port 1434 traffic, Potential Scan or Infection"; thres
hold: type limit, track by_src, count 50 , seconds 60; sid:2001582; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE Behavioral
Unusual Port 1433 traffic, Potential Scan or Infection"; thres
hold: type limit, track by_src, count 50 , seconds 60; sid:2001583; rev:1;)

Any suggestions on other ports to watch in this manner?

50 connections in 1 minute, that reasonable to cut out falses but still see
an infection?

Matt


> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net 
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of eltra1n
> Sent: Thursday, December 09, 2004 5:27 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] TCP sweeps
> 
> I had a user log on to my remote access VPN, the users machine was
> doing TCP-sweeps on port 445 and I think it may have been infected
> with MS Blaster. Does anyone have a suggestion on how I can detect
> this type of traffic with Snort. I am thinking of writing a sig that
> looks for port 445 traffic and setting a very high threshold, it would
> be nice to to re-invent the wheel though. Thanks in advance.
> 
> -- 
> Lawerence A. Wichman
> 2719 W Thomas Apt 2
> Chicago, Il 60622
> 773-807-7606
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from 
> real users.
> Discover which products truly live up to the hype. Start reading now. 
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list