[Snort-sigs] deny default outbound (was Reverse shell)

Castle, Shane scastle at ...3555...
Mon Mar 25 12:44:25 EDT 2013

Yes, I've successfully blocked port 25/tcp and 53/(udp|tcp) outbound from any but established and known servers, and limited outbound HTTP for protected servers, but we've a long way to go yet.

Funny how some workstation suddenly using DNS or SMTP directly to the outside is such a red flag...;)

Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: bent at ...1429... [mailto:bent at ...1429...] On Behalf Of Bennett Todd
Sent: Monday, March 25, 2013 10:14
To: Castle, Shane
Cc: Jamie Riden; snort-sigs at lists.sourceforge.net; Aisling Brennan
Subject: Re: deny default outbound (was Reverse shell)

I've enjoyed some limited success by tying opened outbound protocols with hardened internal clients.

Few apps seem to legitimately need to do their own DNS, a dnscache as part of the firewall plant seems to go over well.

Not too many more need to do their own SMTP, a postfix or qmail seems to please.

HTTP is a dumping ground for wickedness, but if you can pick a web browser that doesn't have a lethally bad security record, and allow only it to pass directly, and route all others through a proxy, the complaints will highlight apps that are abusing the protocol to bypass security.

The folks I've met with legitimate need to ssh outbound seen to be more technically savvy, and a proxy-enabled ssh client plus tight logging seems to be an adequate compromise.

For other problems, like multimedia chatting, I offer a client installed on a server in the DMZ, with ssh or vnc access from the inside.

More information about the Snort-sigs mailing list