Re: [Snort-devel] New feature wanted: Locate the bad guy?

From: <guano(at)hackerfactor.com>
Date: Sun Jun 22 2003 - 16:36:20 EDT

Hi Martin,

I read your posting in snort-devel.

You might want to take a look at my snort detection engine "uninvited".
(I posted this morning to snort-devel about it.)
  http://marc.theaimsgroup.com/?l=snort-devel&m=105630349913276&w=2

Rather than posting all the source code to the newsgroup, I uploaded it to my web site:
  http://www.hackerfactor.com/
  Select "Public Projects"
  Select "Snort uninvited detection engine" You can download the snort.uninvited.tar.Z there, and also find installation and usage instructions.
(Sorry for the round-about download method, but it cuts down on spam.)

I believe it will handle your requirement for directions:

alert tcp any any -> any any (uninvited; msg:"Attack"; content:"cmd.exe";) alert tcp any any -> any any (uninvited; msg:"Response"; content:"\WINNT\system32";)

This assumes that the "cmd.exe" source should NEVER come from your firewall. If you initiate the attack, then it will not trigger an alert. But if someone else triggers the attack, then it will trigger the alert.

                                        -guano

---

This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Sun Jun 22 16:48:59 2003