[Snort-sigs] RE: Snort-sigs digest, Vol 1 #1648 - 3 msgs help

Oshry Romach oromach at ...3211...
Tue Mar 14 22:36:02 EST 2006


Hi, I'd like to unsubscribe...
Thanks.
-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of
snort-sigs-request at lists.sourceforge.net
Sent: Wednesday, March 15, 2006 6:10 AM
To: snort-sigs at lists.sourceforge.net
Subject: Snort-sigs digest, Vol 1 #1648 - 3 msgs

Send Snort-sigs mailing list submissions to
	snort-sigs at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
	snort-sigs-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-sigs-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. Re: Bleedingsnort.com Daily Update (Brian Caswell)
   2. Re: Bleedingsnort.com Daily Update (Matt Jonkman)
   3. Re: Alert rules (Lorine Ruotolo)

--__--__--

Message: 1
Cc: snort-sigs at lists.sourceforge.net
From: Brian Caswell <bmc at ...95...>
Subject: Re: [Snort-sigs] Bleedingsnort.com Daily Update
Date: Mon, 13 Mar 2006 23:51:41 -0500
To: bleeding at ...2727...

On Mar 5, 2006, at 8:00 PM, bleeding at ...2727... wrote:
>  2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source (bleeding- 
> dshield.rules)
>  2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source -  
> BLOCKING (bleeding-dshield-BLOCK.rules)

So, I don't see much discussion about these rules.  Heck, I don't  
think I've seen any.  What is the point in these rules?

Snort can do many things, in fact, if I care to update a plugin I  
wrote many many many years ago, it can even make coffee... but why  
make Snort a firewall?  Wouldn't it be much faster to have the  
firewall do this work, not Snort?

Brian


--__--__--

Message: 2
Date: Tue, 14 Mar 2006 08:25:12 -0500
From: Matt Jonkman <mjonkman at ...2436...>
To: Brian Caswell <bmc at ...95...>
CC:  bleeding at ...2727...,  snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Bleedingsnort.com Daily Update

Brian Caswell wrote:
> 
> So, I don't see much discussion about these rules.  Heck, I don't
think
> I've seen any.  What is the point in these rules?

To drop inbound attacks from dshield listed hosts, and to detect
outbound traffic to them. (outbound has turned out to be more
interesting actually)

> 
> Snort can do many things, in fact, if I care to update a plugin I
wrote
> many many many years ago, it can even make coffee... but why make
Snort
> a firewall?  Wouldn't it be much faster to have the firewall do this
> work, not Snort?

Mostly because these update very often, hourly if you like. We already
have an automated way to push sigs to many places, we don't have an
automated way to push firewall rules to many devices on a daily/hourly
basis.

In our case, we don't review all firewall logs in realtime, and wouldn't
necessarily notice these log entries among the noise.

So it's a very easy way to get this pushed, and to easily see hits on it
through existing channels.

Matt

--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------




:wq


--__--__--

Message: 3
From: "Lorine Ruotolo" <lori.ruotolo at ...12...>
To: sornatale at ...12...
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Alert rules
Date: Tue, 14 Mar 2006 10:41:30 -0600

By CREATE a connection, are you referring to a SYN packet? (The first
packet 
in a TCP handshake)

I think you may wish to look up the "flags" option in rule writing.    
flags: S;




>From: Jason <security at ...704...>
>To: FRANK SORNATALE <sornatale at ...12...>
>CC: snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] Alert rules
>Date: Mon, 13 Mar 2006 12:24:16 -0500
>
>Hi Frank,
>
>As always the devil is in the details. I've put some questions inline
to
>hopefully help you along the way.
>
>FRANK SORNATALE wrote:
> > I worked on these rules and I was wondering if you could let me know
> > what I could be missing.
> >
> > 3. Create an alert for any outgoing packets that list the CUPS
protocol.
> >
> > Alert tcp any any -> any 514 (msg:"someone is printing"; classtype:
> > bad_unknown; sid: 20099997; rev:1;)
>
>This detects traffic ( tcp ) to port 514. Not sure syslog has anything
>to do with CUPS. Does CUPS use tcp? Does it use 514? Is CUPS even it's
>own thing? Do you need to identify the protocol as the task suggests?
>
> >
> > 4. Create an alert for any packet that attempts to CREATE an ssh
> > connection.
> >
> > Alert tcp any any -> any 22 (msg:"someone using ssh";
> > classtype:bad_unkown; sid: 20099996; rev:1;)
>
>This will detect connects to port 22 but that does not mean there is an
>attempt to create an SSH session. How specific should these rules be to
>the stated task?
>
> >
> > 5. Create an alert for any packet whose contents contain the word
"bard"
> > (not case sensitive).
> >
> > Alert tcp any any -> $HOME_NET any (msg:"Someone used the word bard
in
> > an email or other communications"; content: "bard"; nocase;
> > flow:from_server,established; classtype:bad_unknown; sid:20099995; 
>rev:1;)
>
>This will attack bard in tcp traffic headed to any system in HOME_NET.
>Is that any packet? can bard exist in UDP? can bard exist without
>creating a three way handshake?
>
> >
> > 6. Create an alert for any incoming packets on port 53 whose
contents
> > contains 'ucf.edu'.
> >
> > alert tcp any 53 -> $HOME_NET (msg:"Someone using ucf.edu";
> > content:"ucf.edu" flow:from_server,established; sid:20099995; rev:1;
>
>This rule would catch packets _sourced_ from port 53. Shouldn't that be
>destination port 53? Can ucf.edu exist in non tcp traffic?
>
>You are making progress. keep it up.
>
>
> >
> >
> >> From: Hugo van der Kooij <hvdkooij at ...481...>
> >> Reply-To: snort-sigs mailinglist <snort-sigs at lists.sourceforge.net>
> >> To: snort-sigs mailinglist <snort-sigs at lists.sourceforge.net>
> >> Subject: Re: [Snort-sigs] Alert rules
> >> Date: Sun, 12 Mar 2006 21:24:47 +0100 (CET)
> >>
> >> On Fri, 10 Mar 2006, Brian Caswell wrote:
> >>
> >> > Please do not write these rules for Frank.  Frank is trying to
get
> >> > you to do his homework for him.  When he asked me for help
earlier, I
> >> > pointed him at the manual.  He needs to learn, not cheat.
> >>
> >> Somehow the neat list of 10 did trigger some bells. Then there were

>some
> >> rules that did not make any sense for a real life network to finish
it
> >> off.
> >>
> >> Hugo.
> >>
> >> --
> >>     I hate duplicates. Just reply to the relevant mailinglist.
> >>     hvdkooij at ...481...        http://hvdkooij.xs4all.nl/
> >>         Don't meddle in the affairs of magicians,
> >>         for they are subtle and quick to anger.
> >>
> >>
> >> -------------------------------------------------------
> >> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> >> language
> >> that extends applications into web and mobile media. Attend the
live
> >> webcast
> >> and join the prime developer group breaking into this new coding
> >> territory!
> >> 
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=12164
2
> >> _______________________________________________
> >> Snort-sigs mailing list
> >> Snort-sigs at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
> > _________________________________________________________________
> > Don't just search. Find. Check out the new MSN Search!
> > http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by xPML, a groundbreaking scripting 
>language
> > that extends applications into web and mobile media. Attend the live
> > webcast
> > and join the prime developer group breaking into this new coding 
>territory!
> >
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting
language
>that extends applications into web and mobile media. Attend the live 
>webcast
>and join the prime developer group breaking into this new coding
territory!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=12164
2
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/




--__--__--

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


End of Snort-sigs Digest




More information about the Snort-sigs mailing list