<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I'm wondering if a slight variation on those sigs to 'track by_src'
would detect potential scans/DOS where there is 1 source and
multiple targets? Also I'm wondering if it is at all desirable to
change the flags section based on RFC 3168 or if it has no practical
effect on the rule?<br>
<br>
From the Snort manual (guessing this could apply to Suricata as
well):<br>
<span style="color: rgb(0, 0, 0); font-family: 'Times New Roman';
font-size: medium; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 1;
word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline
!important; float: none;"></span>
<p style="color: rgb(0, 0, 0); font-family: 'Times New Roman';
font-size: medium; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: 1;
word-spacing: 0px; -webkit-text-stroke-width: 0px;">The reserved
bits '1' and '2' have been replaced with 'C' and 'E',
respectively, to match RFC 3168, "The Addition of Explicit
Congestion Notification (ECN) to IP". The old values of '1' and
'2' are still valid for the<span class="Apple-converted-space"> </span><tt>flag</tt><span
class="Apple-converted-space"> </span>keyword, but are now
deprecated.</p>
Regards,<br>
Gary<br>
<br>
<div class="moz-cite-prefix">On 3/30/2015 12:10 PM, Cooper F. Nelson
wrote:<br>
</div>
<blockquote cite="mid:5519836D.6060709@ucsd.edu" type="cite">
<pre wrap="">-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The suricata engine is primarily rule (vs. behavior) based, but that
doesn't mean you can't write rules to detect scanning.
For example, I have these local rules that detect high volumes of SYN
floods both to and from our home network:
</pre>
<blockquote type="cite">
<pre wrap="">alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL DOS Unusually fast SYN packets inbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL DOS Unusually fast SYN packets outbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:6;)
</pre>
</blockquote>
<pre wrap="">
These are based on an ET open rule to detect potential SSH scans:
</pre>
<blockquote type="cite">
<pre wrap="">alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:19;)
</pre>
</blockquote>
<pre wrap="">
In turn, this method should be able to be leveraged to detect any
network-based anomaly, assuming it can be easily described.
I've also done a lot of work putting together an expert system/inference
engine that post-processes the suricata alerts file and looks for
anomalous behavior. So, while you may not be able to always write a
single rule to define an anomalous behavior efficiently, you can often
infer that by looking at the patterns of rules that are generated.
The only thing I've wanted to do (but haven't figured out yet), is to be
able to detect a new user-agent from a client in an automated fashion.
I can do this by post-processing the HTTP log file, but ideally I would
want this to show up in the alert file, as it would be a great way to
detect new malware variants from existing EK alerts.
- -Coop
On 3/30/2015 2:38 AM, Nick de Bruijn wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello oisf-users,
I was wondering if you could help me to find the answer of my question.
I'm wondering if there are any possibilities (or plug-ins), for Suricata
to scan on network behavior to detect attacks (anomaly based scanning).
Or is Suricata bound to Signatures / rules (missuse based scanning).
You would very much help me to answer this question.
Kind regards,
Nick
_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Training now available: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/training/">http://suricata-ids.org/training/</a>
</pre>
</blockquote>
<pre wrap="">
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
<a class="moz-txt-link-abbreviated" href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJVGYNtAAoJEKIFRYQsa8FWbvwH/jNbhXEn+BLFEJAyLkunzbF7
BgCZWb9FZfIIAha1ejhF88t66uPZQ16QUn/VF77jx80FKUnpngIjg1ioUrIEHDtg
fqeC81o0F1R7ttjlDmQq9a27fRLuh5hDdxDq+DJ7jAA4HHtC71I7AUB4llDwVPRI
R4dIZC9USlS/g6suaBz9m1YA58kMADXVWABR/UjdVdX6ZITkTjHxw4CUg3Q7kwnT
GLQGCl8pNmcRqdeVwNyW8L5x5lQflEeCqnVYpRjm/9gCPNoYN9/rID4Nx6DWzIRK
hY/8zZx9FOi804MsvEXgwhzXnlhVI6lEtFFVuJOT7twUIUhGyvz46VfznWQicfY=
=QODd
-----END PGP SIGNATURE-----
_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Training now available: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/training/">http://suricata-ids.org/training/</a>
</pre>
</blockquote>
<br>
</body>
</html>