I see how sticky-drop can drop the traffic from the client but how would I
go about calling the one rule from the other?
Right now I have snort_inline and baitnswitch running (with the STD_BUF
patch ;)). When an alert is triggered baitnswitch redirects the traffic
matching the signature. So what happens is traffic from the client to the
"attacked" host is redirected. So that part works fine, however, I want
to redirect traffic from the client to all hosts when an alert is
triggered.
With my current config when a client machine triggers the "Malware Gator
New Code Download" rule bns will redirect traffic from the client to
whatever the "Gator server" is. The client will still be able to surf the
web as the only traffic redirected is the traffic to the Gator server.
What I want to do is when the signature above is matched is to also
include, for n minutes, a "drop all web" signature like:
drop tcp any any -> any 80 (bait-and-switch:600,src,1.2.3.4;
classtype:attempted-user; msg:"Port 80 connection initiated";)
That way all web traffic from the client will be redirected to a local
webserver that will politely tell the user to clean their machine.
So, in english, when bad web traffic is matched I want to redirect all web
traffic for that client for a while. Can this be done?
Thanks.
--
JT
sticky-drop in snort-inline can do this. You could probably
accomplish the same thing with Snortsam In InlineMode(); but I haven't
tried it.
Regards,
Will
On 12/6/05, oink@signalno9.org <oink@signalno9.org> wrote:
Hello,
I would like to include a rule when another is triggered, for example:
If this rule is triggered:
drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE
Malware Gator/Clarian Agent"; flow: to_server,established;
uricontent:"/gbsf/gd/ne/new.net.gtrg2ze"; nocase; classtype:
policy-violation; reference:url,
www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2001306;
rev:5;)
I would like to also trigger this rule for n minutes/seconds:
drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
connection initiated";)
I've looked at the tagging option for rules but I need to drop them, not
just log them.
Any ideas?
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id�865&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
