We just recently had a similar discussion on the Bleedingsnort site.
http://www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=363
We decided in local testing these rules would be of significant value,
but they're not something we can have turned on in a default ruleset. It
would have to be left to each local admin to make the decision which
rules are good for their net, and more specifically what sensors they'd
be able to run which on.
I will make us the rules for this, but they'll be disabled by default in
the bleeding rules. You'll have to specifically decide locally where
they should go. I'll have this posted in just a few minutes. The rules
going up are:
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"BLEEDING-EDGE
Behavioral Unusual Port 445 traffic, Potential Scan or Infection";
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001569;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"BLEEDING-EDGE
Behavioral Unusual Port 139 traffic, Potential Scan or Infection";
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001579;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg:"BLEEDING-EDGE
Behavioral Unusual Port 137 traffic, Potential Scan or Infection";
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001580;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"BLEEDING-EDGE
Behavioral Unusual Port 135 traffic, Potential Scan or Infection";
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001581;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"BLEEDING-EDGE
Behavioral Unusual Port 1434 traffic, Potential Scan or Infection";
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001582;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"BLEEDING-EDGE
Behavioral Unusual Port 1433 traffic, Potential Scan or Infection";
threshold: type limit, track by_src, count 50 , seconds 60; sid:2001583;
rev:1;)
Any suggestions on other ports to watch in this manner?
50 connections in 1 minute, that reasonable to cut out falses but still
see an infection?
Matt
-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of eltra1n
Sent: Thursday, December 09, 2004 5:27 PM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] TCP sweeps
I had a user log on to my remote access VPN, the users machine was
doing TCP-sweeps on port 445 and I think it may have been infected
with MS Blaster. Does anyone have a suggestion on how I can detect
this type of traffic with Snort. I am thinking of writing a sig that
looks for port 445 traffic and setting a very high threshold, it would
be nice to to re-invent the wheel though. Thanks in advance.
--
Lawerence A. Wichman
2719 W Thomas Apt 2
Chicago, Il 60622
773-807-7606
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from
real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
<<inline: winmail.dat>>
