[Snort-users] Snort as an anomalous behavior IDS

Joel Esler joel.esler at ...14399...
Fri Apr 2 15:27:09 EDT 2010


Correct.

J

On Apr 2, 2010, at 3:21 PM, Willst Mail wrote:

> Jason,
> Sounds like you did what I want to do.  Let's say outbound HTTP is
> fine but anything else is bad, would your ruleset look something like:
> 
> pass tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Allowing outbound
> HTTP"; sid:1000001)
> alert tcp any any -> any any (msg:"Bad traffic!"; sid:1000002)
> 
> And from this (contrived and simplified) ruleset, outbound over port
> 80 is allowed to silently pass and everything else will generate an
> alert?
> 
> 
>> ------------------------------
>> 
>> Message: 3
>> Date: Sat, 03 Apr 2010 00:09:47 +1300
>> From: Jason Haar <Jason.Haar at ...294...>
>> Subject: Re: [Snort-users] Snort as an anomalous behavior IDS
>> To: snort-users at lists.sourceforge.net
>> Message-ID: <4BB5D07B.7020701 at ...294...>
>> Content-Type: text/plain; charset=ISO-8859-1
>> 
>> On 04/01/2010 11:32 AM, Willst Mail wrote:
>>> Is it as simple having a
>>> ruleset with the good rules, and a final rule that matches (any any ->
>>> any any)?
>>> 
>> We use snort to monitor DMZes that way. Unlike real networks, DMZes are
>> meant to contain hosts that have specific roles, and don't have users
>> logged in running Skype/etc. i.e their traffic flows are predictable. In
>> particular, they shouldn't initiate outbound connections beyond the
>> expected AV updates, Windows/YUM updates/etc.
>> 
>> Then we created pass rules that  allow such things, and trigger alerts
>> on the rest. On our network, DMZ alerts are really quiet for ages - and
>> then some SysAdmin will forget where they are and go and read their
>> Gmail or something - and we get an alert - soon followed by a "sorry!
>> it's me!" - that proves it's working :-)
>> 
>> However, FTP is your enemy - no easy way to write "pass" rules for FTP.
>> I've got HTTP "pass" rules to allow connections to hosts containing
>> "uricontent:/repos/", or whitelist particular User-Agents - but you
>> can't say "allow curl to ftp files"
>> 
>> --
>> Cheers
>> 
>> Jason Haar
>> Information Security Manager, Trimble Navigation Ltd.
>> Phone: +64 3 9635 377 Fax: +64 3 9635 417
>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>> 
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler
http://blog.joelesler.net






More information about the Snort-users mailing list