Snort mailing list archives
Re: How's best to alert on Web connections that *don't* contain particular content?
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 26 Feb 2003 21:26:37 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jason,The regex option doesn't work, it never has. For basic wildcarding, you can use the distance/within keywords.
Do you just want to look for outbound SYN packets from your DMZ? Seems like that might do a nice job of picking up a system that gets compromised. Additionally, if you only have a few server ports you can just write a set of pass rules to ignore traffic on the ports that you know will be used.
You can also do something like alert tcp $DMZ ANY -> $EXTERNAL_NET 80 (\ flow: to_server, established; \ content: "Host|3a|"; \ content: !"Host|3a|"; distance: 1; \ content: !"trend"; distance: 1; nocase; \ tag: session, 10, packets; \ blah blah blah... That might work for you... -Marty On Tuesday, February 25, 2003, at 03:46 PM, Jason Haar wrote:
I'm wanting to get snort to alert whenever it sees our DMZ hosts connect outbound on services they're not meant to be using. Sounds like a good idea- -- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616- should only trigger once a break in has occured. Anyway, one problem is our DMZ anti-virus SMTP servers with all their auto-updates. We have DMZes throughout the world, and so far I havediscovered that our Trend InterScan VirusWall servers have connected to noless than 40 different networks (not hosts!) to get Trend pattern fileupdates from. Gah! There's no way I can put an exclude list in to tell snort to ignore port 80 connections to that many sites - and of course they couldchange from week to week.Instead I decided to look at the content, and to alert only if a port 80connection looks like it's a non-Trend request. i.e.alert tcp $DMZES_NETS any -> any 80 (msg:"DMZ host communicating to an \unsupported service";flow:to_server,established; content:"Host|3a|"; \ regex:!"Host|3a|*trend";nocase;tag: session, 10,packets;\ classtype:successful-admin;sid:1000001;rev:2;\ reference: url,/secure/cvename.php?name=1000001;)So what it's doing is looking for a "Host:" header - which implies it's a Web request, and then alerts IFF it doesn't contain "Host:*trend" - as allthe Trend update servers contain that string in their DNS hostnames.It seems to work, but I'm still getting the odd hit - the packet caught does contain "Host:*trend" - so I don't know why it's triggering. Is the regexcode pretty solid? Any ideas?Also, is there a way of alerting on non-HTTP traffic on port 80? The above rule would catch the likes of an outgoing CodeRed - but it wouldn't trigger on a successful hacker going back to his SSH server running on port 80. Canyou do something like "flow:to_server,established;nouricontent"? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Sourcefire: Enterprise-class Intrusion detection built on Snort roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+XXdiqj0FAQQ3KOARAml9AJ0XegLzclsL5gQ65pSCN+uUnv/DDACfZcfY ZMO7WhLWNv61O93LXdbYOzE= =TYjN -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Kenneth G. Arnold (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Phil Wood (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Frank Knobbe (Feb 26)
- Re: How's best to alert on Web connections that *don't* contain particular content? Jason Haar (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Brian (Feb 26)
- Re: How's best to alert on Web connections that *don't* contain particular content? Martin Roesch (Feb 26)
- <Possible follow-ups>
- RE: How's best to alert on Web connections that *don't* contain particular content? Schmehl, Paul L (Feb 25)
- Re: How's best to alert on Web connections that *don't* contain particular content? Kenneth G. Arnold (Feb 25)