[Snort-sigs] Effective rule for bots

Matt Jonkman matt at ...2436...
Tue Apr 19 10:16:05 EDT 2005


We've got some similar up on bleeding snort in the scan category:

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 445 traffic, Potential Scan or Infection";
flags:S,12; threshold: type both, track by_src, count 200 , seconds 60; 
classtype:misc-activity; sid:2001569; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 139 traffic, Potential Scan or Infection";
flags:S,12; threshold: type both, track by_src, count 200 , seconds 60; 
classtype:misc-activity; sid:2001579; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 137 traffic, Potential Scan or Infection";
flags:S,12; threshold: type both, track by_src, count 200 , seconds 60; 
classtype:misc-activity; sid:2001580; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 135 traffic, Potential Scan or Infection";
flags:S,12; threshold: type both, track by_src, count 200 , seconds 60; 
classtype:misc-activity; sid:2001581; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 1434 traffic, Potential Scan or Infection"
; flags:S,12; threshold: type both, track by_src, count 200 , seconds 
60; classtype:misc-activity; sid:2001582; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE 
Behavioral Unusual Port 1433 traffic, Potential Scan or Infection"
; flags:S,12; threshold: type both, track by_src, count 200 , seconds 
60; classtype:misc-activity; sid:2001583; rev:8;)

We're going 200 in 60 seconds, which has proven to not false. Is your 
decision to go 500 based on some falses you had at a lower threshold?

Matt

Paul Schmehl wrote:
> I've been using this rule for a few weeks and it's working quite well to 
> catch boxes infected with SDBot and other backdoors.  Thought I'd share it.
> 
> alert tcp $HOME_NET any -> any 445 (msg: "ALERT!!! Excessive Port 445 
> traffic!!!"; flags:S; threshold: type both, track by_src, count 500, 
> seconds 60; classtype:trojan-activity; sid: 10000006; rev: 2;)
> 
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: New Crystal Reports XI.
> Version 11 adds new functionality designed to reduce time involved in
> creating, integrating, and deploying reporting solutions. Free runtime 
> info,
> new features, or free trial, at: http://www.businessobjects.com/devxi/728
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list