[Snort-sigs] crappy rule for icmp floods

James Riden j.riden at ...1766...
Fri May 7 20:18:13 EDT 2004


"Lazar, Sean" <Sean_Lazar at ...2413...> writes:

>    This rule is somewhat crappy but it does detect some of the network
>    scanning viruses like sasser. Is there a way to use thresholding in a
>    rule and also have it try to match other rules as well? Or does that
>    go against snort philosophy...
>    alert icmp any any -> any any (msg:"20 ICMP in 1 second!!!";threshold:
>    type both , track by_src, count 20 , seconds 1;)

Sasser.D may have an ICMP payload to check for, I haven't seen it here
yet.  There's a good Welchia sig which works as you suggest, but there
was some payload to match as well.

When one of our named process on a DNS server falls over, it tends to
generate >100 ICMP port unreachables per second, so you may get some
false positives if you just go by rate.

I find the best way to check for Sasser, Welchia, Blaster etc. is to
pipe 10-minute segments of portscan.log through a perl script a little
like this - e.g. for Blaster swap '135' for '445'. I mean, the
portscan preprocessor has done most of the hard work for you.

#!/usr/local/bin/perl

while ($line=<STDIN>) {
    
    $line=~s/  / /g; # need because of "May  3" instead of "May 03" in portscan.log
    
    ($mnth,$dt,$time,$ip,$ar,$dst,$etc) = split (m/ /,$line);
    
    ($ip,$port)=split(m/:/,$ip);
    ($dstip,$dstp)=split(m/:/,$dst);
    
    if ($dstp == 445)
    {
        $att{$ip}++;
        
        if ($att{$ip}>100) {
          print "Suspected Sasser at $ip\n";
        }       
    }
}

cheers,
 Jamie
-- 
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/





More information about the Snort-sigs mailing list