[Snort-users] Thoughts on Snort-flex rule?

Rich Adamson radamson at ...2127...
Sun Jan 26 08:56:45 EST 2003


Three questions:

1. Is there a way to configure snort (eg, rules or other options) to track
portscans, web application attacks, etc, from a single source IP address,
and flex-respond to "all" future activity from that source for the next 
five minutes (or some other preconfigured time frame) regardless of the
next target IP from that source?

I fully understand the difficulty of tuning snort rules to trigger on
specific events, however we've all seen alerts such as:
0x0030: 43 80 04 2B 00 00 48 45 41 44 20 2F 73 61 6D 70  C..+..HEAD /samp
0x0040: 6C 65 73 2F 2E 2E 25 63 31 25 39 63 2E 2E 2F 2E  les/..%c1%9c../.
0x0050: 2E 25 63 31 25 39 63 2E 2E 2F 2E 2E 25 63 31 25  .%c1%9c../..%c1%
0x0060: 39 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65  9c../winnt/syste
0x0070: 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64  m32/cmd.exe?/c+d
0x0080: 69 72 3F 2F 63 2B 64 69 72 2B 63 3A 5C 20 48 54  ir?/c+dir+c:\ HT
followed by (or preceded by) the same set of activities over and over
again.

2. Are there any other inexpensive hardware/software solutions (besides 
commercial firewalls, in-line linux-type boxes, etc) that would act as a
gateway of sort, that snort could control to essentially create the
reactive function noted in #1, above? 

I'm quite familiar with the delay issues of reacting to such events, and
the risk associated with not stopping the initial scans, etc.

3. Anyone tried to create a tcl/snmp/other mechanism to dynamically
modify a Cisco router access control list to accomplish the above?

Rich





More information about the Snort-users mailing list