[Snort-users] Curse of the cmd.exe

Andreas Östling andreaso at ...236...
Sat Jun 15 07:46:03 EDT 2002


Sam Evans wrote:

> It seems pointless to me, to log 10,000 cmd.exe attempts from outside
> hosts, when you don't know what the actual outcome was..  Sure,
> you have to go to your webserver logs to find out the real result, but,
> with all the Nimda / Codered still going on..   That makes for a very long day
> of log searching.


There are a few excellent "attack response" rules among the official
Snort rules which you could focus on. (And as always, it's easy to write
your own.)

I'm not sure I agree that logging those 10,000 cmd.exe attempts are always
pointless though.
At least my experience is that when you catch a successful intrusion,
even those alerts (to/from the involved hosts) that you would normally
classify as false positives can be invaluable and give a better view of a
larger picture. Personally I prefer to have snort and other tools collect
as much possibly hostile activities as possible and then look for the
best/worst stuff myself by post-processing the logs using
SnortSnarf/ACID/grep etc.

I wrote a really ugly little perl script a while ago to help me combining
attacks with attack responses by parsing an alert file, just as a test to
se if it would be useful. It's really simple - if there is an alert from
a.a.a.a:x -> b.b.b.b:y and then an alert from b.b.b.b:y -> a.a.a.a:x there
is a darn good chance that they are related, so "generate an alert". You
can also define what is a bad answer (host vulnerable) or good answer
(host not vulnerable). This is obiously too simple to be really useful in
the real world but could be extended in many ways.

An example from a real-life alert file:
http://people.su.se/~andreaso/misc/istest.html

I never finished it and probably never will, but I still like the idea.
Has anyone made something similar? Or planning to?
Hopefully it will be much better than my attempt :)

Regards,
Andreas Östling





More information about the Snort-users mailing list