Re: Newbie: Bot Detection Rule

[George Yobst <george () lincc lib or us>]

Hi Craig,

Sorry about the appalling lack of info.  I'm running
it on a FreeBSD 4.3 Stable with IPFilter as the FW.

My question comes down to this:
The rule(s) I can create, but how do I actually test
them to make sure they work?

I'm not up to creating fake bots.  I don't want to
get one and unleash it on my network.  Is there
a way to create packets with that port number that
I can use to run thru Snort?  Something that will
trigger the alert to make sure it works?

I don't care about Gibson, the man.  I do care about
his research, and it's potentials.  I want to be
prepared for this kind of attack and I don't want
my organization's computers to be used by the Bots.
-George

On Thu, 21 Jun 2001, Craig Woods wrote:
*Hi George,
*
*Because you did not say much about your setup, i.e. OS type, networked
*or stand alone server, or just a workstation using ppp, I thought I
*would toss in some added info. Hopefully you have filtered any ports you
*have listening on an internet interface. Snort, like any IDS, will
*report an attempted or a successful intrusion. Just make sure you are
*running some kind of firewall protection that prevents such intrusions.
*
*Notwithstanding Gibson's perceived reputation (the point here is not
*about Steve Gibson's personality but it is about the principal of what a
*DDOS attack is all about), his account of the attack is worthy of being
*read and understood. A DDOS attack is "real", and should be considered
*in any attempts to secure your machine.
*
*Just my two cents,
*Craig Woods
*UNIX SA
*
*George Yobst wrote:
*>
*> Hi all,
*> I was just reading this article about how Gibson Research
*> was knocked off the net ( http://grc.com/dos/grcdos.htm ).
*> Near the end of the article was a section on detecting these
*> bots.  As a new snort user, I can probably RTM and create
*> some rules that create an alert for ports 6667 and 113,
*> but how do I test it?  -George
*> ---------------------------------------------------------------------------
*> George Yobst, Library Technology Specialist     phone: 503.723.4890
*> Library Information Network of Clackamas County   fax: 503.794.8238
*> 16239 SE McLoughlin Blvd, Suite 208         web: http://www.lincc.lib.or.us
*> Oak Grove, OR 97267-4654                  email: george () lincc lib or us
*> "...it is impossible for anyone to begin to learn
*>  what he thinks he already knows."  - Epictetus
*>
*> _______________________________________________
*> Snort-users mailing list
*> Snort-users () lists sourceforge net
*> Go to this URL to change user options or unsubscribe:
*> http://lists.sourceforge.net/lists/listinfo/snort-users
*> Snort-users list archive:
*> http://www.geocrawler.com/redir-sf.php3?list=snort-users
*

---------------------------------------------------------------------------
George Yobst, Library Technology Specialist     phone: 503.723.4890
Library Information Network of Clackamas County   fax: 503.794.8238
16239 SE McLoughlin Blvd, Suite 208         web: http://www.lincc.lib.or.us
Oak Grove, OR 97267-4654                  email: george () lincc lib or us
"...it is impossible for anyone to begin to learn
 what he thinks he already knows."  - Epictetus


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users