RE: slowing down the spread of worms

[Rob Keown <Keown () MACDIRECT COM>]

While this thread is a little off-topic, here is an interesting idea. We
have a Labrea machine on a few of our Class C's with available addresses.
I'm curious what other's might think or any "proof-of-concept" out there.

http://archives.neohapsis.com/archives/firewalls/2001-q3/1091.html

Rob Keown

-----Original Message-----
From: Nathan W. Labadie [mailto:ab0781 () wayne edu]
Sent: Sunday, September 30, 2001 5:33 PM
To: incidents () securityfocus com
Subject: slowing down the spread of worms


Is anyone else using the "flexible response" feature of snort to slow 
down the spread of recent worms? I've been testing it and so far it 
appears to be extremely effective. More information here:

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.22

I'm currently running snort against a mirror of all the traffic for two 
class b subnets (academic environment). Ever since the release of 
codered, attempting to keep up with the number of IIS-related alerts is 
impossible. There simply isn't the resources to parse through 100,000+ 
alerts at the end of the day. An unpatches IIS machine placed on the 
network would usually become infected with either nimda or codered 
within 6-12 hours. Using "flexible response" seems to be a feasable way 
to slow things down a bit.

Here's a few of the rules from snort.conf:
---snip---
var RESP_TCP resp:rst_all
var RESP_UDP resp:icmp_all

pass tcp $EXTERNAL_NET any -> $INSIDE 80 ($RESP_TCP; msg:"WEB-IIS 
cmd.exe access (FlexRsp)"; flags: A+; content:"cmd.exe"; nocase; 
classtype:attempted-user; sid:1002; rev:1;)
pass tcp $EXTERNAL_NET any -> $INSIDE 80 ($RESP_TCP; msg:"WEB-IIS 
CodeRed v2 root.exe access (FlexRsp)"; flags: A+; 
uricontent:"scripts/root.exe?"; nocase; classtype: attempted-admin; 
sid: 1256; rev: 1;)
---snip---

Now you might be wondering why I'd use "pass" for these rules. As I 
mentioned above, there simply isn't the resources to go through all of 
the alerts at the end of the day. When "pass" is used, snort still 
executes $RESP_TCP each time it sees a request for root.exe or 
command.exe, it just doesn't generate an alert.

Before using flexresp (connection _is_ established):

[root@scanner root]# wget http://XXX.XXX.XXX.XXX/cmd.exe
--17:23:20--  http://XXX.XXX.XXX.XXX/cmd.exe
           => `cmd.exe'
Connecting to XXX.XXX.XXX.XXX:80... connected!
HTTP request sent, awaiting response... 404 Not Found
17:23:20 ERROR 404: Not Found.

After enabling flexresp:

--17:26:02--  http://XXX.XXX.XXX.XXX/cmd.exe
  (try: 2) => `cmd.exe'
Connecting to XXX.XXX.XXX.XXX:80... connected!
HTTP request sent, awaiting response...
Read error (Connection reset by peer) in headers.

Essentially, snort is able to (silently) terminate all incoming 
requests for cmd.exe and root.exe.

Hope this helps,
Nate

-- 
Nathan W. Labadie       | ab0781 () wayne edu   
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.5626 fax
C&IT Security Office: http://security.wayne.edu


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com