[Snort-users] RE: Network Behaviour Anomoly Detection

Martin Roesch roesch at ...1935...
Tue Jul 13 11:56:06 EDT 2004

You just need to enable with the "keepstats" keyword to the stream4  
module.  Keepstats has three different output modes, human readable  
(default), machine readable (CSV) and binary (unified).

preprocessor stream4: keepstats

preprocessor stream4: keepstats machine

preprocessor stream4: keepstats binary

The binary format can be read by barnyard (file "snort-unified.stats")   
which would work great for a post-processed anomaly detector if you  
wanted near real-time performance.  The other two formats are written  
to a file called session.log and are in text format.

Does that help?


On Jun 30, 2004, at 2:00 PM, hugh_fraser at ...2804... wrote:

> Does Spade to some of this? These seem like very good requests,
> especially in light of some of the recent RPC-based worms whose most
> easily-recognized signature is host scanning activity. We have a
> switched network. It's difficult to distinguish legitimate traffic from
> worm traffic at the receiving end, but it's easy to recognize a host
> that's creating connections to a large number of hosts in a short  
> period
> of time. Even better, if snort can be told to learn what normal
> behaviour is for a node, it could alert to changes in that behaviour
> without creating the onerous job of manually configuring thresholds.
> If spp_flow or stream4 can do this already, I had trouble identifying
> that from the docs. Could someone provide some config examples?
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of pieter
> claassen
> Sent: Saturday, June 26, 2004 9:03 AM
> To: Martin Roesch
> Cc: Michael Cunningham; 'Jon Baer'; focus-ids at ...35...; snort
> users
> Subject: Re: [Snort-users] RE: Network Behaviour Anomoly Detection
> As a first cut I can think of the following anomalous events that might
> be interesting:
> 1. Changes in spread of connections from source/to destination to
> services over a specific time period. (i.e. there are new requests  
> which
> makes your environment look differently from what it was) 2. Changes in
> volume from source/to destination going to services over a specific  
> time
> period. (i.e. resource abuse or successful compromise)
> How would the logic be implemented? Can this be done through the
> existing rule syntax?
> sample rules:
> alert tcp any any -> $WEBSERVERS any (msg:"Somebody is probing our
> servers" ; anomaly:"ports > 20/min" )
>  - A match would indicate a quantitative increase in connections to  
> more
> than 20/min to a webserver
> alert tcp any any -> $WEBSERVERS any (msg:"Sudden increase in
> consumption"; anomaly:"volume > 20%/min" )
>  - A match would indicate a qualitative increase in volume of traffic
> being requested from a service
> alert tcp any any <> any any (msg:"Client is making a whole lot of new
> connections and getting loads of data back"; anomaly:"volume_per_con >
> 20%/min AND ports > 20%/min" )
> - A match would indicate that a client is originating new connections
> and getting data back
> Isn't the first option just the portscan preprocessor in a different
> from?
> Is there another way to "program" the preprocessor in this case?
> Pieter
> On Thu, 2004-06-24 at 20:25, Martin Roesch wrote:
>> Hi Mike,
>>> Anyone interested in starting up an opensource project to build
>>> something
>>> like this?
>> FYI, Snort's stream4 module (and the new spp_flow) module is capable
>> of
>> logging the stats you mention for any flow that is observed,
>> specifically start/stop time, src/dst IPs and ports, number of packets
>> and number of bytes transferred, as well as IDS event stats and any
>> other flags you care to hang off of them.  For example, along with the
>> flow record you could record the number of IDS events that fired for a
>> given flow as well as any anomalies that were detected on that flow
>> (e.g. fragmentation/tcp protocol anomalies, etc).
>> Snort's got 50% of what you want already, you could implement the
>> anomaly detection as a preprocessor if you were so inclined...
> ----------------------------------------------------------------------- 
> -
> ---
> ----------------------------------------------------------------------- 
> -
> ---
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list