[Snort-users] New user's comments, additions, and filters

Clifford, Shawn A shawn.a.clifford at ...178...
Tue Apr 17 13:37:26 EDT 2001


Hi all,

I'm new to snort, and I wasn't sure which list was appropriate for these
comments, so I'm sending to both.

I'd like to say that I'm impressed with the ease of use and flexibility of
snort, and hope to use it distributed across hundreds of nodes in my
network.

My first comment is about the 'rservices.rules' file.  It seems to me that
the use of 'rlogin' and 'rsh' is backwards in these rules, as "shell" is on
port 514, and "login" is on port 513.  While it is true that an rsh/remsh
with no command argument becomes an rlogin, I don't think that is the intent
of these rules.

Here is a filter rule that I've added to 'rservices.rules' to catch a
"probe" that is caught and logged by inetd on HP-UX and Solaris (but not
SunOS?), but I want to see it in my IDS log.  A variation of the attached
rsh.pl script will trigger this rule (hint: set the local port >= 1024).
The rsh.pl script is a rewrite of the rsh source code.

alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 514 (msg:"RSERVICES rsh from
unprivileged port"; flags: A+)

We use a variation of this to detect if machines are "alive", particularly
from machines that don't have the "count" option to ping (eg. HP-UX).

Because I'm planning on using snort on many of the machines within our
network (inside the firewall) for host-based detection, I had to modify
'rpc.rules' to bring down the false-positives from our NIS servers.  This
replaces the "portmap request ypserv" rule, where $NIS_SERVERS is defined in
snort.conf.

alert tcp $EXTERNAL_NET any -> !$NIS_SERVERS,$HOME_NET 111 (msg:"RPC portmap
request ypserv"; \
	content:"|01 86 A4 0 00|";offfset:40:depth:8:
reference:arachnids,12;)

Last, I've added the following rules to 'local.rules' to log sessions when
someone su's to root over a telnet or rlogin connection:

alert tcp any any <> $HOME_NET 23 (session:printable; msg:"LOCAL su to root
via telnet"; content-list:"su-to-root";)
alert tcp any any <> $HOME_NET 513 (session:printable; msg:"LOCAL su to root
via rlogin"; content-list:"su-to-root";)

Which requires the file, "su-to-root":
---- su-to-root ----
su|0d|
Password
# 
---- su-to-root ----

I also added port 513 to the "preprocessor stream:" directive in my
snort.conf, but I'm not sure if that is necessary.


Cheers!
-- Shawn

 <<rsh.pl>> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rsh.pl
Type: application/octet-stream
Size: 3876 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010417/3ad62563/attachment.obj>


More information about the Snort-users mailing list