[Snort-users] Snort as an anomalous behavior IDS

Paul Schmehl pschmehl_lists at ...14358...
Fri Apr 2 17:25:10 EDT 2010


You might be better off using the HTTP_PORTS variable.

pass tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Ignoring outbound 
HTTP"; sid:10000001;)

BTW, most trojans nowadays communicate on port 80, so you'll miss any trojan 
infections that do that.  (Don't know if that's a problem for you or not.)

--On Friday, April 02, 2010 15:27:09 -0400 Joel Esler <joel.esler at ...14399...> wrote:

> Correct.
>
> J
>
> On Apr 2, 2010, at 3:21 PM, Willst Mail wrote:
>
>> Jason,
>> Sounds like you did what I want to do.  Let's say outbound HTTP is
>> fine but anything else is bad, would your ruleset look something like:
>>
>> pass tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Allowing outbound
>> HTTP"; sid:1000001)
>> alert tcp any any -> any any (msg:"Bad traffic!"; sid:1000002)
>>
>> And from this (contrived and simplified) ruleset, outbound over port
>> 80 is allowed to silently pass and everything else will generate an
>> alert?
>>
>>
>>> ------------------------------
>>>
>>> Message: 3
>>> Date: Sat, 03 Apr 2010 00:09:47 +1300
>>> From: Jason Haar <Jason.Haar at ...294...>
>>> Subject: Re: [Snort-users] Snort as an anomalous behavior IDS
>>> To: snort-users at lists.sourceforge.net
>>> Message-ID: <4BB5D07B.7020701 at ...294...>
>>> Content-Type: text/plain; charset=ISO-8859-1
>>>
>>> On 04/01/2010 11:32 AM, Willst Mail wrote:
>>>> Is it as simple having a
>>>> ruleset with the good rules, and a final rule that matches (any any ->
>>>> any any)?
>>>>
>>> We use snort to monitor DMZes that way. Unlike real networks, DMZes are
>>> meant to contain hosts that have specific roles, and don't have users
>>> logged in running Skype/etc. i.e their traffic flows are predictable. In
>>> particular, they shouldn't initiate outbound connections beyond the
>>> expected AV updates, Windows/YUM updates/etc.
>>>
>>> Then we created pass rules that  allow such things, and trigger alerts
>>> on the rest. On our network, DMZ alerts are really quiet for ages - and
>>> then some SysAdmin will forget where they are and go and read their
>>> Gmail or something - and we get an alert - soon followed by a "sorry!
>>> it's me!" - that proves it's working :-)
>>>
>>> However, FTP is your enemy - no easy way to write "pass" rules for FTP.
>>> I've got HTTP "pass" rules to allow connections to hosts containing
>>> "uricontent:/repos/", or whitelist particular User-Agents - but you
>>> can't say "allow curl to ftp files"
>>>
>>> --
>>> Cheers
>>>
>>> Jason Haar
>>> Information Security Manager, Trimble Navigation Ltd.
>>> Phone: +64 3 9635 377 Fax: +64 3 9635 417
>>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>>>
>>
>> ----------------------------------------------------------------------------
>> -- Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Joel Esler
> http://blog.joelesler.net
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson





More information about the Snort-users mailing list