[Oisf-users] Hostbits?
Victor Julien
lists at inliniac.net
Thu Feb 7 11:07:50 UTC 2013
On 02/06/2013 09:42 PM, Matt wrote:
> Is there a way to tag hosts rather than flows? As a specific use case,
> there's a model of Netgear router that sometimes gets stuck in a loop
> flooding DNS requests. I'd like to be able to distinguish those from
> other high volume DNS clients. One way to pick out a Netgear router is
> DNS requests for time-a.netgear.com and time-b.netgear.com, but that's
> not always what they flood. I'd like to be able to write something like
> this:
>
> # Set a hostbit with a 12 hour expiration
> alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"Netgear
> time-a.netgear.com"; content:"|06|time-a|07|netgear|03|com";
> hostbits:set netgear, hours 12; hostbits:noalert)
> alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"Broken Netgear Flood";
> hostbits:isset netgear; threshold:type both, track by_src, count 60000,
> seconds 600; classtype:denial-of-service;)
Hostbits do not exist yet, although it shouldn't be hard to add them.
Think you can probably at least partially address it with thresholds,
although it depends on how varied the flood hostnames are I guess.
Something like:
content:"|06|time-"; content:"|07|netgear|03|com";
pcre:/\x06time\-[a-z]\x07netgear\x03com/"; threshold: ...
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list