[Snort-sigs] Rule to match all non-HTTP traffic

Stephen Teti steti at ...3862...
Mon Nov 18 08:51:29 EST 2013


Hello,

I'm having some trouble figuring out how to write two separate rules - one to match HTTP or HTTPS traffic (based solely on source port number) and another rule to match everything else.  The purpose of these rules is to act as a very simple warning of a possible DoS attack, based only on the number of packets per second directed at a particular IP address.  I initially had a single rule that would fire an alert if it observed more than 50,000 packets over 5 seconds directed to a single IP address:

alert ip !$HOME_NET -> $HOME_NET any (msg:"PossibleDoS"; flow: stateless; detection_filter: track by_dst, count 50000, seconds 5; sid:1000001;rev:1;)
event_filter gen_id 1, sig_id 1000001, type limit, track by_dst, count 1, seconds 60

This worked well for my purposes, but requirements have changed and I need to have different limits for HTTP traffic vs other traffic.  My rule config now looks like this (/etc/snort/rules/local.rules):

# TCP, not HTTP or HTTPS
alert tcp !$HOME_NET [!80,!443] -> $HOME_NET any (msg:"PossibleTcpDoS"; flow: stateless; detection_filter: track by_dst, count 50000, seconds 5; sid:1000001;rev:1;)
event_filter gen_id 1, sig_id 1000001, type limit, track by_dst, count 1, seconds 60

# HTTP or HTTPS
alert tcp !$HOME_NET [80,443] -> $HOME_NET any (msg:"PossibleHttpDoS"; flow: stateless; detection_filter: track by_dst, count 100000, seconds 5; sid:1000002;rev:1;)
event_filter gen_id 1, sig_id 1000002, type limit, track by_dst, count 1, seconds 60

# UDP
alert udp !$HOME_NET any -> $HOME_NET any (msg:"PossibleUdpDoS"; detection_filter: track by_dst, count 50000, seconds 5; sid:1000003;rev:1;)
event_filter gen_id 1, sig_id 1000003, type limit, track by_dst, count 1, seconds 60

# Other IP
alert ip !$HOME_NET [!80,!443] -> $HOME_NET any (msg:"PossibleIpDoS"; flow: stateless; detection_filter: track by_dst, count 50000, seconds 5; sid:1000004;rev:1;)
event_filter gen_id 1, sig_id 1000004, type limit, track by_dst, count 1, seconds 60

This doesn't seem to do what I'm intending though - I received an alert this morning for the "PossibleIpDos" rule that was triggered by HTTP traffic.  It appears that the traffic passed the first 3 rules but tripped the alert on the fourth rule.  Here is the output from my alert log (IP addresses changed to protect the innocent):

11/18-07:03:40.426861  [**] [1:1000004:1] PossibleIpDoS [**] [Priority: 0] {TCP} 198.51.100.1:80 -> 192.0.2.1:21502

My snort version and snort.conf is included below.  Any help would be appreciated.

Thanks,
Steve Teti
steti at ...3862...

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0.3 IPv6 GRE (Build 98) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 6.6 06-Feb-2006
           Using ZLIB version: 1.2.3

snort.conf:

ipvar HOME_NET [64.19.128.0/18,207.232.64.0/20,209.191.0.0/18]
ipvar EXTERNAL_NET any
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config checksum_mode: all
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500
config detection: search-method ac-split search-optimize max-pattern-len 20
config event_queue: max_queue 8 log 3 order_events content_length
dynamicpreprocessor directory /usr/lib/snort-2.9.0.3_dynamicpreprocessor
dynamicengine /usr/lib/snort-2.9.0.3_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/lib/snort-2.9.0.3_dynamicrules
output alert_syslog: LOG_AUTH LOG_ALERT
include classification.config
include reference.config
include $RULE_PATH/local.rules
include threshold.conf

classification.config:

config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: inappropriate-content,Inappropriate Content was Detected,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2
config classification: sdf,Senstive Data,2

reference.config:

config reference: bugtraq   http://www.securityfocus.com/bid/ 
config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
config reference: arachNIDS http://www.whitehats.com/info/IDS
config reference: osvdb	    http://osvdb.org/show/osvdb/
config reference: McAfee    http://vil.nai.com/vil/content/v_
config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url       http://

local.rules: included above in body of mail

threshold.conf: empty file




More information about the Snort-sigs mailing list