[Snort-users] Zombie detection rules

Luke Ager luke.ager at ...14399...
Thu Feb 16 04:17:04 EST 2017


I'll second this. It would be easier to use network devices as log sources such as Netflow and connection logs to determine patterns. 
Clearly good egress filtering is a priority and then base lining of permitted ports. 

If you have specific hosts in mind and the scope is small you could consider an endpoint agent also which includes network monitoring. LogRyhthms end point agent will support this. 

Failing that, arbour who are known for DDOS protection offer a product which uses snort but also integrates with their ddos threat intel. They have some techniques to detect zombies but it's based on their intelligence. 



Sent from my iPhone

> On 16 Feb 2017, at 09:00, Alberto Colosi <alcol at ...125...> wrote:
> 
> Hi another approach ............. are not firewalls ?
> 
> 
> I can't believe all is open , zombie is a wide kind of possible activity and is not so easy as can be imagined.
> 
> 
> firewalls and uncommon authorized port usage for example during the night but not only .............. . All other kind of traffic will be dropped by firewalls and this kind of log is important too.
> 
> 
> a SIEM can perform this kind of check in automatic if not you'll have to create some scripts to inspect log files.
> 
> 
> 
> Alberto Colosi
> 
> IT Security & NetWork
> 
> 
> 
> 
>  
> From: Paul Li <paul at ...17768...>
> Sent: Thursday, February 16, 2017 5:32 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Zombie detection rules
>  
> Is there any snort rule for zombies detection: to detect if the devices snort is monitoring are used as zombies. Or some rules that can detect large outgress traffic from a monitored device would also work.
> 
> Thanks,
> Paul
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170216/bf3c60c1/attachment.html>


More information about the Snort-users mailing list