[Oisf-users] tracking source and destination port

Cooper F. Nelson cnelson at ucsd.edu
Thu Jul 4 17:47:57 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ET has rules like this:

> #These are intended to catch new worms and such scanning internally. Careful of falses.
> #
> alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:2001569; rev:13;)

The problem is that if you modify it to a '-> any any' rule its going to
match all traffic.

The DDOS attacks you describe look like normal traffic flows; so its
hard to detect it automatically.

What you could do is look at your traffic patterns and set the threshold
to something well above your normal peak flows for any unique
destination port.  Something like:

> alert tcp $EXTERNAL_NET $HOME_NET -> any 80 (msg:"LOCAL Potential HTTP DDOS, high traffic"; flags: S,12; threshold: type both, track by_src, count 1000, seconds 10; 

Ideally what you would want would be a rule that detected a large number
of half-open connections to any unique port.  I don't believe suricata
currently has this feature.  Snort has a portscan preprocessor that can
be used to do this (I think).  See:

http://manual.snort.org/node17.html#SECTION00323000000000000000

Ideally you should only have a few ports open on your DMZ, so I
personally would recommend just writing a few suricata rules as I
described for whatever ports are exposed at your border.

- -Coop

On 7/4/2013 9:17 AM, Michael Hoffrath wrote:
> Hello,
> 
> some time ago i was target of an ddos which has a very simple pattern, the source ip was random and spoofed but for all ddos clients the source and destination port was the same. Is there a way to write a rule that keeps track of source/destination port combinations and triggers if any combination happens several times?
> 
> The problem is, that i don't know which source/destination port combination is used, so i can't use "alert any $SRC_PORT -> $DST $DST_PORT"
> 
> Kind Regards
> Michael
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR1bVNAAoJEKIFRYQsa8FWYkwIAILkwqU490w2soBvSYhbbltw
FeTqiZjXY1S8yiqgFsuPRjhYj7unBDnOl6tYCIzCfr7nD9DedYZTHfNFrjJDU/dc
DL5lpiPLEodd7GMdeVr/ChhjgOK8xWOrkKqvOPkK9hAx26RQPLWMjwzN5Y7LyxkQ
wP3yRJx4rC3reZQhOS+7Ehp8eAReNdFInRW50jfiLYaoC9mpFQUS+p54VaR0PWjk
RNkwYKKNXmh8ZWL3kaAtOwBRB+od+diZ0FyBXT2Nz4TWy5C3Cgoy2bqBWtsiaEjg
aBW7yuchgN6w3QSrNugg5AbNzdxHKVTHjNCg4BhnrBJmNGDPhWbUXixHf0jZHnA=
=n3Js
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list