Hosting Provided By

[Snort-devel] New feature wanted: Locate the bad guy?

From: Martin Olsson <elof(at)sentor.se>
Date: Thu Jun 19 2003 - 06:07:04 EDT

One thing I miss in my Snort + ACID + SnortCenter system is the possibility to easily show the operator on what side (source or destination) the bad guy is located.

ACID (with SnortCenter) can display the "Most Frequent 15 Source Addresses" and the "Most Frequent 15 Destination Addresses". These reports show exactly that - the most common src and dst ADDRESSES.

One might think that the list of the 15 source addresses are where the bad guys are, and the 15 destinations are their targets. This isn't so. The snort rules contain both alerts for attacks and attack responses.

Example:
src: A.A.A.A dst: B.B.B.B A sends an attack to B src: C.C.C.C dst: D.D.D.D C sends a response to D

When listing the most frequent source addresses we'll see A and C.
>From this output one might think that there are bad guys at machines A
and C, the source IPs of the alerts.
No, A and D are the bad hosts. B and C are the targets. (C is replying to an attack from D)

So, how do we get a report where the sources and destinations of the acual ATTACKS are shown?

If we add a new field in the rules, declaring what side of the packet is "bad", then we should be able to create a reporting mechanism that put together the correct report.

Do you need help?

Example:

This is how the rules look like at present time: alert tcp any any -> any any (msg:"Attack"; content:"cmd.exe";) alert tcp any any -> any any (msg:"Response"; content:"\WINNT\system32";)

This is how they could look like with the new field: alert tcp any any -> any any S (msg:"Attack"; content:"cmd.exe";) alert tcp any any -> any any D (msg:"Response"; content:"\WINNT\system32";)

S = The source address is the bad guy (he wants to run cmd.exe) D = The destination address is the bad guy (the source address is replying

with a DOS-prompt)
A = Any of the two (for rules with the direction <>, and for rules that

just log packets with no particular options)

What do you think?

Martin Olsson
Sentor AB, Sweden

This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Thu Jun 19 06:26:42 2003

Do you need more help?

This message: [ Message body ]
Next message: Roy S. Rapoport: "Re: [Snort-devel] New Feature based on MAC address filterig (Possible !!!!!)"
Previous message: Martin Olsson: "[Snort-devel] Rebuild a complete packet from SQL"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:06 EDT