Snort mailing list archives
Rule to match all non-HTTP traffic
From: "Stephen Teti" <steti () monmouth com>
Date: Mon, 18 Nov 2013 08:51:29 -0500
Hello, I'm having some trouble figuring out how to write two separate rules - one to match HTTP or HTTPS traffic (based solely on source port number) and another rule to match everything else. The purpose of these rules is to act as a very simple warning of a possible DoS attack, based only on the number of packets per second directed at a particular IP address. I initially had a single rule that would fire an alert if it observed more than 50,000 packets over 5 seconds directed to a single IP address: alert ip !$HOME_NET -> $HOME_NET any (msg:"PossibleDoS"; flow: stateless; detection_filter: track by_dst, count 50000, seconds 5; sid:1000001;rev:1;) event_filter gen_id 1, sig_id 1000001, type limit, track by_dst, count 1, seconds 60 This worked well for my purposes, but requirements have changed and I need to have different limits for HTTP traffic vs other traffic. My rule config now looks like this (/etc/snort/rules/local.rules): # TCP, not HTTP or HTTPS alert tcp !$HOME_NET [!80,!443] -> $HOME_NET any (msg:"PossibleTcpDoS"; flow: stateless; detection_filter: track by_dst, count 50000, seconds 5; sid:1000001;rev:1;) event_filter gen_id 1, sig_id 1000001, type limit, track by_dst, count 1, seconds 60 # HTTP or HTTPS alert tcp !$HOME_NET [80,443] -> $HOME_NET any (msg:"PossibleHttpDoS"; flow: stateless; detection_filter: track by_dst, count 100000, seconds 5; sid:1000002;rev:1;) event_filter gen_id 1, sig_id 1000002, type limit, track by_dst, count 1, seconds 60 # UDP alert udp !$HOME_NET any -> $HOME_NET any (msg:"PossibleUdpDoS"; detection_filter: track by_dst, count 50000, seconds 5; sid:1000003;rev:1;) event_filter gen_id 1, sig_id 1000003, type limit, track by_dst, count 1, seconds 60 # Other IP alert ip !$HOME_NET [!80,!443] -> $HOME_NET any (msg:"PossibleIpDoS"; flow: stateless; detection_filter: track by_dst, count 50000, seconds 5; sid:1000004;rev:1;) event_filter gen_id 1, sig_id 1000004, type limit, track by_dst, count 1, seconds 60 This doesn't seem to do what I'm intending though - I received an alert this morning for the "PossibleIpDos" rule that was triggered by HTTP traffic. It appears that the traffic passed the first 3 rules but tripped the alert on the fourth rule. Here is the output from my alert log (IP addresses changed to protect the innocent): 11/18-07:03:40.426861 [**] [1:1000004:1] PossibleIpDoS [**] [Priority: 0] {TCP} 198.51.100.1:80 -> 192.0.2.1:21502 My snort version and snort.conf is included below. Any help would be appreciated. Thanks, Steve Teti steti () monmouth com ,,_ -*> Snort! <*- o" )~ Version 2.9.0.3 IPv6 GRE (Build 98) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 6.6 06-Feb-2006 Using ZLIB version: 1.2.3 snort.conf: ipvar HOME_NET [64.19.128.0/18,207.232.64.0/20,209.191.0.0/18] ipvar EXTERNAL_NET any var RULE_PATH /etc/snort/rules var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH ../preproc_rules config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_tcpopt_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts config checksum_mode: all config pcre_match_limit: 3500 config pcre_match_limit_recursion: 1500 config detection: search-method ac-split search-optimize max-pattern-len 20 config event_queue: max_queue 8 log 3 order_events content_length dynamicpreprocessor directory /usr/lib/snort-2.9.0.3_dynamicpreprocessor dynamicengine /usr/lib/snort-2.9.0.3_dynamicengine/libsf_engine.so dynamicdetection directory /usr/lib/snort-2.9.0.3_dynamicrules output alert_syslog: LOG_AUTH LOG_ALERT include classification.config include reference.config include $RULE_PATH/local.rules include threshold.conf classification.config: config classification: not-suspicious,Not Suspicious Traffic,3 config classification: unknown,Unknown Traffic,3 config classification: bad-unknown,Potentially Bad Traffic, 2 config classification: attempted-recon,Attempted Information Leak,2 config classification: successful-recon-limited,Information Leak,2 config classification: successful-recon-largescale,Large Scale Information Leak,2 config classification: attempted-dos,Attempted Denial of Service,2 config classification: successful-dos,Denial of Service,2 config classification: attempted-user,Attempted User Privilege Gain,1 config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 config classification: successful-user,Successful User Privilege Gain,1 config classification: attempted-admin,Attempted Administrator Privilege Gain,1 config classification: successful-admin,Successful Administrator Privilege Gain,1 config classification: rpc-portmap-decode,Decode of an RPC Query,2 config classification: shellcode-detect,Executable code was detected,1 config classification: string-detect,A suspicious string was detected,3 config classification: suspicious-filename-detect,A suspicious filename was detected,2 config classification: suspicious-login,An attempted login using a suspicious username was detected,2 config classification: system-call-detect,A system call was detected,2 config classification: tcp-connection,A TCP connection was detected,4 config classification: trojan-activity,A Network Trojan was detected, 1 config classification: unusual-client-port-connection,A client was using an unusual port,2 config classification: network-scan,Detection of a Network Scan,3 config classification: denial-of-service,Detection of a Denial of Service Attack,2 config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 config classification: protocol-command-decode,Generic Protocol Command Decode,3 config classification: web-application-activity,access to a potentially vulnerable web application,2 config classification: web-application-attack,Web Application Attack,1 config classification: misc-activity,Misc activity,3 config classification: misc-attack,Misc Attack,2 config classification: icmp-event,Generic ICMP event,3 config classification: inappropriate-content,Inappropriate Content was Detected,1 config classification: policy-violation,Potential Corporate Privacy Violation,1 config classification: default-login-attempt,Attempt to login by a default username and password,2 config classification: sdf,Senstive Data,2 reference.config: config reference: bugtraq http://www.securityfocus.com/bid/ config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name= config reference: arachNIDS http://www.whitehats.com/info/IDS config reference: osvdb http://osvdb.org/show/osvdb/ config reference: McAfee http://vil.nai.com/vil/content/v_ config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id= config reference: url http:// local.rules: included above in body of mail threshold.conf: empty file ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule to match all non-HTTP traffic Stephen Teti (Nov 18)