You just need to enable with the "keepstats" keyword to the stream4
module. Keepstats has three different output modes, human readable
(default), machine readable (CSV) and binary (unified).
preprocessor stream4: keepstats
preprocessor stream4: keepstats machine
preprocessor stream4: keepstats binary
The binary format can be read by barnyard (file "snort-unified.stats")
which would work great for a post-processed anomaly detector if you
wanted near real-time performance. The other two formats are written
to a file called session.log and are in text format.
Does that help?
-Marty
On Jun 30, 2004, at 2:00 PM, hugh_fraser@dofasco.ca wrote:
Does Spade to some of this? These seem like very good requests,
especially in light of some of the recent RPC-based worms whose most
easily-recognized signature is host scanning activity. We have a
switched network. It's difficult to distinguish legitimate traffic from
worm traffic at the receiving end, but it's easy to recognize a host
that's creating connections to a large number of hosts in a short
period
of time. Even better, if snort can be told to learn what normal
behaviour is for a node, it could alert to changes in that behaviour
without creating the onerous job of manually configuring thresholds.
If spp_flow or stream4 can do this already, I had trouble identifying
that from the docs. Could someone provide some config examples?
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of pieter
claassen
Sent: Saturday, June 26, 2004 9:03 AM
To: Martin Roesch
Cc: Michael Cunningham; 'Jon Baer'; focus-ids@securityfocus.com; snort
users
Subject: Re: [Snort-users] RE: Network Behaviour Anomoly Detection
As a first cut I can think of the following anomalous events that might
be interesting:
1. Changes in spread of connections from source/to destination to
services over a specific time period. (i.e. there are new requests
which
makes your environment look differently from what it was) 2. Changes in
volume from source/to destination going to services over a specific
time
period. (i.e. resource abuse or successful compromise)
How would the logic be implemented? Can this be done through the
existing rule syntax?
sample rules:
alert tcp any any -> $WEBSERVERS any (msg:"Somebody is probing our
servers" ; anomaly:"ports > 20/min" )
- A match would indicate a quantitative increase in connections to
more
than 20/min to a webserver
alert tcp any any -> $WEBSERVERS any (msg:"Sudden increase in
consumption"; anomaly:"volume > 20%/min" )
- A match would indicate a qualitative increase in volume of traffic
being requested from a service
alert tcp any any <> any any (msg:"Client is making a whole lot of new
connections and getting loads of data back"; anomaly:"volume_per_con >
20%/min AND ports > 20%/min" )
- A match would indicate that a client is originating new connections
and getting data back
Isn't the first option just the portscan preprocessor in a different
from?
Is there another way to "program" the preprocessor in this case?
Pieter
On Thu, 2004-06-24 at 20:25, Martin Roesch wrote:
Hi Mike,
Anyone interested in starting up an opensource project to build
something
like this?
FYI, Snort's stream4 module (and the new spp_flow) module is capable
of
logging the stats you mention for any flow that is observed,
specifically start/stop time, src/dst IPs and ports, number of packets
and number of bytes transferred, as well as IDS event stats and any
other flags you care to hang off of them. For example, along with the
flow record you could record the number of IDS events that fired for a
given flow as well as any anomalies that were detected on that flow
(e.g. fragmentation/tcp protocol anomalies, etc).
Snort's got 50% of what you want already, you could implement the
anomaly detection as a preprocessor if you were so inclined...
-----------------------------------------------------------------------
-
---
-----------------------------------------------------------------------
-
---
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
