Hosting Provided By

Re: [Snort-devel] New feature wanted: Locate the bad guy?

From: Martin Olsson <elof(at)sentor.se>
Date: Mon Jun 23 2003 - 05:57:45 EDT

On Sun, 22 Jun 2003 guano@hackerfactor.com wrote:
> I read your posting in snort-devel.

Sorry, this was not what I was asking for. I want ACID to report the most common attackers and the most common targets. This is not the same thing as listing the most common source addresses and destination addresses. This is due to the fact that some of the snort rules match on _responses_ rather than the requests. The source IP of response packets is not the attackers IP, it's the target machine replying back to the attacker. Hence, this source IP should not be put in the same list as the source IP:s of all the attack requests.

In order for ACID, SnortCenter and other reporting tools to create a correct list of sources and targets, you need to label each rule with some information regarding wether it's a queary or response.

In my original posting I labeled the rules based on where an attacker was supposed to be:
S = The source address is the bad guy (he wants to run cmd.exe) D = The destination address is the bad guy (the source address is replying

with a DOS-prompt)
A = Any of the two (for rules with the direction <>, and for rules that

just log packets with no particular options)

One could exchange this with labels indicating the type of the packet:

Q = This is a queary
R = This is a response
A = Any of the two

Do you need help?

This is exactly the same thing as above, only the word "bad guy" or "attacker" has been removed. This might be preferable.

Once again:
The reason why I want to log this label in the alert is for the operator to immediately understand in what direction the packet was going when captured. Also when making reports, you need this label in order to categorize the alerts correctly.

Hmmm, only one reply to my posting... Am I really the only one who think this is a nice idea? There must be hundreds of reports built every day with misleading information and statistics.

/Martin

This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Mon Jun 23 07:22:20 2003

This message: [ Message body ]
Next message: m.stiefenhofer(at)ecofis.de: "[Snort-devel] extend rules options to check tcp win size"
In reply to guano(at)hackerfactor.com: "Re: [Snort-devel] New feature wanted: Locate the bad guy?"
Next in thread: Neil: "Re: [Snort-devel] New feature wanted: Locate the bad guy?"
Reply: Neil: "Re: [Snort-devel] New feature wanted: Locate the bad guy?"
Reply: Gianni Tedesco: "Re: [Snort-devel] New feature wanted: Locate the bad guy?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:06 EDT