Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Question about merging alerts

from [Jason Haar] Network Security [Permanent Link]
Subject: [Snort-users] Question about merging alerts
Date: Thu, 27 Jan 2005 22:07:10 +1300
[This is probably more a question regarding how far we can make Snorts rules bend over backwards - but I'm sure we can make them do more than they should ;-)]

The "SMB repeated logon failure" alerts look for multiple occurrences of the SMB equivalent of "access denied" packets sent to the same destination. This works well enough - but you get no indication of which account is being denied access to - just that it was. (actually, why is that? I would have thought the stream4 preprocessor would tend to clump the stream together enough to see the login attempt - but all my TCP SMB events are 39 bytes in length, and only contain the "access denied" - no reference to the data flowing to the server that triggered it in the first place)

I was wondering if the flowbits option could be used to create (say) "flowbits:set,smblogin" on packets that contain SMB authentication attempts, and that *somehow* (that's the hard bit) be logged if the normal "SMB repeated logon failure" alerts then occur afterwards (obviously they'd need "flowbits:isset,smblogin") - perhaps like tagged events? That way you could get one event that contained both directions of traffic (i.e. see the username/password pair being sent, as well as the "access denied" coming back)

I guess my question is how can we track several (even just two) data streams and make them generate one event that contains all components - maybe a "flowbits:merge,smblogin"? Does that even make sense to do so?

I know I could tag - but for something like this I'd end up with 10-100K entries a day (we monitor WAN links - so LOTS of SMB) - and would still have to cross-reference the alert back to the appropriate tag. Too big - not an option.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] Question about merging alerts, Jason Haar <=
Previous by Date:  Re: [Snort-users] ACID Dates, Dave C
Next by Date:  Re: [Snort-users] dropping packets, Martin Roesch
Previous by Thread:  [Snort-users] Restarting Snort-inline?, mdpeters
Next by Thread:  [Snort-users] Snort 2.3.0 dumps core on Solaris 9, Miner, Jonathan W (CSC) (US SSA)
Indexes:  [Date] [Thread] [Top] [All Lists]