[Snort-users] A Working Logsurfer Example for Snort 2.0

Matt Howell mhowell at ...9084...
Fri May 23 14:17:06 EDT 2003


All...

A few weeks ago, I posted a message asking if anyone had a set of
logsurfer rules that worked with Snort 2.0 that was worth sharing. 
After failing to receive a response from anyone, I am posting the rules
that I came up with in the hopes that it might be helpful for others. 
By no means are these officially endorsed by the Snort project or
logsurfer, but instead its just one example of what someone is actually
using in production.  I am fairly green to logsurger / regex, so there
may be better ways to handle some of these events.  I tried to include
somewhat logical comments, as well.  If you find something that works
better for you, please let me know because I would like to improve on
this over time.

-Matt Howell
mhowell at ...9084...

LINKS:
surfmailer script:
http://www.obfuscation.org/emf/logsurfer/surfmailer

emf's snort / logsurfer example:
http://www.obfuscation.org/emf/logsurfer/snort.txt

##################################

### Logsurfer Definitions:  Snort 2.0.0
### author:  Matt Howell (mhowell at ...9084...)
### date:    05/23/03
###
#
## IGNORE STATEMENTS
#
# Ignore "Unreachable" ICMP messages
'ICMP Destination Unreachable' - - - 0 ignore
# Ignore End of Portscan Messages - Preference
'End of portscan' - - - 0 ignore
# Ignore "last message repeated" notifications
'last message repeated' - - - 0 ignore
# Ignore Lotus Domino SMTP specific exploit
'SMTP HELO overflow attempt' - - - 0 ignore
# Ignore requests for robots.txt
'robots.txt' - - - 0 ignore
## ICMP MESSAGES
#
# Capture ICMP messages and store them in a context.
# Send message if threshold is hit (time or messages)
'ICMP .* \[Priority: ([0-9])\]: \{ICMP\} ([0-9.]+) ->.*' - - - 0
        open "ICMP" - 10 60 7200
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"ICMP
Messages\""
## HTTP ATTACKS
#
# Capture WEB attacks / exploits into a context
'WEB-.* \[Priority: ([0-9])\]: \{.*\} ([0-9.]+):.*' - - - 0
        open "WEB" - 8 60 7200
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"WEB
Events\""
## PORTSCAN MESSAGES
#
# Send message on detection of new portscan
'spp_portscan: PORTSCAN DETECTED from (.*) \(.*' - - - 0
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S
\"Portscan DETECT from $2\""
#
# Create context by IP for all portscan status messages
'spp_portscan: portscan status from ([0-9.]+):.*' - - - 0
        open "STATUS$2" - 10 60 7200
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S
\"Portscan   Status from $2\""
#
# Send message on termination of portscan
# ** Disable IGNORE statement before uncommenting this rule
#'spp_portscan: End of portscan from ([0-9.]+):.*' - - - 0
#       pipe "/usr/local/bin/surfmailer -r user\@domain.com -S
\"Portscan END from $2\""
#
# Generic Catch-all portscan message
# ** More for debug purposes...  The rules above should catch all other
portscan messages
'spp_portscan:.*' - - - 0
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S
\"Portscan GENERIC Message\""
#
# Context for all messages of type "SCAN"
'SCAN .* \[Priority: ([0-9])\]: \{.*\} ([0-9.]+):.*' - - - 0
        open "SCAN$3" - 5 60 7200
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S \"SCAN
from $3\""
#
# Send message on any Portscan2 traffic (when enabled)
'portscan2.*' - - - 0
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S
\"Portscan2 Event\""
#
# Report any traffic of type ATTACK RESPONSES
'ATTACK RESPONSES.*' - - - 0
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S
\"Warning: ATTACK RESPONSE\""
#
# A Catch all rule for any events that come through marked Priority 1
'\[Priority: (1)\].*' - - - 0
        pipe "/usr/local/bin/surfmailer -r user\@domain.com -S
\"Priority 1 Event\""





More information about the Snort-users mailing list