Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Local Security Policy Standards
From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Tue, 2 Dec 2008 16:15:10 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John,
        If you are looking for a command line tool that will apply security
policies and can be scripted, then I would suggest you look at secedit.
 It's been a few years since I've used it, but I'm pretty sure I applied
the NSA security templates with it in one of my previous positions:

Here is a manual page about it:

http://technet.microsoft.com/en-us/library/bb490997.aspx

There is also an example script using secedit from Microsoft on the page
below, scroll down to the section that is titled "Automated Scripts":

http://technet.microsoft.com/en-us/library/cc163078.aspx

Here is a page that talks about general usage:

http://www.appdeploy.com/tips/detail.asp?id=23

And here is a forum post about using it in a scripted environment to
overwrite existing policies:

http://www.eggheadcafe.com/forumarchives/windowsserverscripting/Jul2005/post23155047.asp

Hope that helps,

- -Adam

John Culkin wrote:
Hello:

Does anyone have some scripts which apply the Local Security Policy
settings from the NSA or other respectable groups?

Thanks,

-- John C.

Russell Fulton wrote:
I would run tcpdump on the sensor with an appropriate filter to make
sure the sensor is actually seeing the traffic you think it should
be.  I've been had by that one a couple of times -- spanning not set
up properly on routers etc.

R

On 3/12/2008, at 5:47 AM, Chris Green wrote:

Write the rules out using only your CIDR notation and you get:
(assuming you have SSH_PORTS defined)

alert tcp !137.165.0.0/16 any -> 137.165.224.0/24 22 (flow:stateless;
flags:S,12; msg: “test”; sid: 1234125);

Where are you testing from? On campus?

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Peter Charbonneau
Sent: Tuesday, December 02, 2008 10:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] writing SNORT rules

Good morning

I have written 3 "quick and dirty" SNORT rules and am trying to
follow the write/test/write/test/write/test/write/test

Unfortunately even the first test isn't working.  I never see the
alert message for these rules in my alert log.  Is there some other
directive in the snort.conf file that could be precluding these
stateless "hits" from being processed in some way?

If you have any responses, we should probably take this off-line to
keep the list from being clogged, unless, of course, this is a
"class" problem for all first time rule writers.  I think it's
something stupid, but I just can't see it.


These are the simplest rules I could think of with the ongoing
process of modifying them for my final needs.  My ultimate goal is to
be able to grep the alert file for this LOCAL message and grab the
timestamps; I want come up with a way to sanity check the duration of
established ssh sessions to compare against host machine log files.

Here are the rules:

[root () netsniff emerging]# cat /usr/local/etc/rules/local.rules
# $Id: local.rules,v 1.13 2005/02/10 01:11:04 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
#
alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS
(flow:stateless; flags:S,12; msg: "LOCAL Connection attempt -- NetSys
asset on port 22"; sid: 2008001;)
alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS
(flow:stateless; flags:F,12; msg: "LOCAL Connection termination --
NetSys asset on port 22"; sid: 2008002;)
alert tcp $EXTERNAL_NET any -> $NETSYS_NET $SSH_PORTS
(flow:stateless; flags:R,12; msg: "LOCAL Connection reset -- NetSys
asset for port 22"; sid: 2008003;)
[root () netsniff emerging]#

The variables EXTERNAL_NET, NETSYS_NET, SSH_PORTS are all defined:

var HOME_NET 137.165.0.0/16
var NETSYS_NET 137.165.224.0/24
var EXTERNAL_NET !$HOME_NET


RULE_PATH is defined as var RULE_PATH /usr/local/etc/rules


Here is the portion of the snort.conf file that "includes" the
local.rules file:

#
# Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts are
triggered.
#=========================================

include $RULE_PATH/local.rules
# include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules


I have stopped and restarted snort with the same command line I
always use:

snort -A full -i eth3 -N -K none -c /usr/local/etc/snort.conf -D

PeteC


Peter Charbonneau
Sr. Network and Systems Administrator
Williams College
(413) 597-3408 (office)
(413) 822-2922 (cell)








- --
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Mobile: 510-220-2477
Email: ajcarlson () berkeley edu

"Most of the things worth doing in the world had been declared
impossible before they were done." ~Louis D. Brandeis

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1z44ACgkQT0QSLt7kiaC+fQCfW4xDizIBvkZUrO/Jl3tsrFXP
95sAnjG4jKz6xuZdccfy9+p79NQAM76o
=mDr8
-----END PGP SIGNATURE-----

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]