[Snort-users] Now how to launch my scan

Mark W. Jeanmougin markjx at gmail.com
Thu May 31 08:46:44 EDT 2018


Hey Dorian,

I'm guessing that you're posting on an English language email list but that
English is not your primary language. I'll try to be extra clear. :)

I created my scanner in bro, not snort. This topic may not be appropriate
for this mailing list, but I'll post anyway. Every security professional
uses the best tool for the job. I hope to inspire collaboration and
encourage everyone to improve their situation. After I talk about how I did
my work in bro, I'll talk about how snort could do something similar.

I have Security Onion running snort, bro, and all the rest. It is watching
the link between my user network and the dhcp server in the data center.

bro logs every dhcp packet. In the dhcp requests, it logs source MAC
address, hostname, and other fields. In the dhcp responses from the server,
it logs the IP address of the dhcp server, and other fields.

It let Security Onion run for a few days building up logs. Then, I analyzed
the logs looking for bad dhcp servers. I created a text file containing the
IP addresses of my legitimate dhcp servers. Then, I created a script to
parse the bro logs looking for responses from dhcp servers that were not on
the whitelist. I configured cron to run the script hourly. This is a high
fidelity alert.

Next, I created a textfile containing the regular expressions that describe
the hostname naming standard for our machines. I created a script to parse
the bro logs looking for requests to dhcp servers that were not on the
whitelist. I configured cron to run the script hourly. This is a high
fidelity alert.

I also created a textfile whitelist containing all the user workstation
names.  I created a script to parse the bro logs looking for requests to
dhcp servers that were not on the whitelist. I configured cron to run the
script hourly. This is a low fidelity alert.

My next step is to parse the conn log looking for activity from IP's that
don't have an associated dhcp request. We had a penetration test where they
guessed an IP address in the local network since they knew we were watching
for dhcp activity.

In snort, I'd define a variable containing all of my dhcp servers. I'd call
it DHCP_SERVERS. Then, create an alert looking for dhcp responses where the
source ip was !$DHCP_SERVERS.

Good luck, Dorian. I don't consider these techniques "introductory level".
In my humble opinion, these are advanced ideas.

Back to my day job,

Mark Jeanmougin



On Wed, May 30, 2018 at 1:11 PM Dorian ROSSE <dorianbrice at hotmail.fr> wrote:

> Dear IT Community,
>
>
> You went to leave my computer and I successfulled to do a fully update /
> upgrade of my server also how to launch the scan which deplyoed’s Mark ?
>
> Thank you in advance to take this ticket again,
>
> Regards.
>
>
> Dorian ROSSE.
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180531/6a129a27/attachment.html>


More information about the Snort-users mailing list