Snort mailing list archives
Thoughts on Snort-flex rule?
From: Rich Adamson <radamson () routers com>
Date: Sun, 26 Jan 2003 09:09:01 -0600
Three questions: 1. Is there a way to configure snort (eg, rules or other options) to track portscans, web application attacks, etc, from a single source IP address, and flex-respond to "all" future activity from that source for the next five minutes (or some other preconfigured time frame) regardless of the next target IP from that source? I fully understand the difficulty of tuning snort rules to trigger on specific events, however we've all seen alerts such as: 0x0030: 43 80 04 2B 00 00 48 45 41 44 20 2F 73 61 6D 70 C..+..HEAD /samp 0x0040: 6C 65 73 2F 2E 2E 25 63 31 25 39 63 2E 2E 2F 2E les/..%c1%9c../. 0x0050: 2E 25 63 31 25 39 63 2E 2E 2F 2E 2E 25 63 31 25 .%c1%9c../..%c1% 0x0060: 39 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 9c../winnt/syste 0x0070: 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 m32/cmd.exe?/c+d 0x0080: 69 72 3F 2F 63 2B 64 69 72 2B 63 3A 5C 20 48 54 ir?/c+dir+c:\ HT followed by (or preceded by) the same set of activities over and over again. 2. Are there any other inexpensive hardware/software solutions (besides commercial firewalls, in-line linux-type boxes, etc) that would act as a gateway of sort, that snort could control to essentially create the reactive function noted in #1, above? I'm quite familiar with the delay issues of reacting to such events, and the risk associated with not stopping the initial scans, etc. 3. Anyone tried to create a tcl/snmp/other mechanism to dynamically modify a Cisco router access control list to accomplish the above? Rich ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Thoughts on Snort-flex rule? Rich Adamson (Jan 26)
- Re: Thoughts on Snort-flex rule? Erek Adams (Jan 26)
- SNMP - SNORT Mike Koponick (Jan 26)
- RH 8.0 & SNMP Mike Koponick (Jan 26)
- Rule help Gordon Cunningham (Jan 27)
- Re: Rule help Erick Mechler (Jan 27)
- RE: Rule help Gordon Cunningham (Jan 27)
- Re: Rule help Erek Adams (Jan 27)
- SNMP - SNORT Mike Koponick (Jan 26)
- Re: Thoughts on Snort-flex rule? Erek Adams (Jan 26)