Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Traffic anomaly detection

From: Erek Adams <erek () snort org>
Date: Thu, 13 Feb 2003 09:27:38 -0500 (EST)
On Wed, 12 Feb 2003, Williams Jon wrote:

[...excellent points snipped...]


      alert tcp any 80 -> any any (msg:"rejected on HTTP";flags:AR;)


Another thing to consider is what your machines are and what they _should_
do--This ties into exactly what Jon states below.  So...

If you have a Web server, you know that it should never initiate a
connection, only respond to them.

        alert tcp $HTTP_SERVER any -> any any (msg:"outbound connection
from a Web server!!";flags:S;)

That will help with something like that.  You can also use the same rule
for Telnet, FTP, SSH, etc.

[...more excellent points snipped...]


YMMV.  I'm finding more "offenders", so to speak, with my custom written
anomaly rules than I do with the stuff I download from snort.org.  Most of
that comes from the fact that I've spent probably 100 hours over the course
of the past year or so working with people here to understand what my
network really looks like, what it really _should_ look like, and then
_carefully_ crafting rules that alert on things that I know shouldn't be
there.  This is definately *NOT* a quick fix, since every rule I turn on
usually uncovers another digital body that adds another six month project to
my list, but if you're serious about understanding your network, its a good
excersize.


I can't stress to people about the importance of doing this.  You need to
get a _real_ network map, not just a "I think this is connected to that."
You need to see what's on _each_ and _every_ subnet.  Drop a sniffer onto
each one, and snarf traffic for a day.  Lather, Rinse, Repeat.  No, this
isn't a quick or simple process, but it is a _VERY_ crucial part of a
Snort install--IMHO, anyway.  :)  This should be everyones first step of
getting _any_ type of IDS running.

Then you are able to tune your rules, removing things you don't need and
or want.  Changing rules to fit your site.  Adding ones that you need.
Then if you want, build your "Holy Moly Batman!" rules.  They become
_very_ handy at times.  In one case, they helped track down someone's
un-WEP'ed AP they had brought in from home.

Thanks for all the good thoughts and points!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: