[Oisf-users] tracking source and destination port

Cooper F. Nelson cnelson at ucsd.edu
Thu Jul 4 17:53:46 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note:  This rule should be configured as a "track by dst".

>alert tcp $EXTERNAL_NET $HOME_NET -> any 80 (msg:"LOCAL Potential HTTP DDOS, high traffic"; flags: S,12; threshold: type both, track by_dst, count 1000, seconds 10; 

On 7/4/2013 10:47 AM, Cooper F. Nelson wrote:
> ET has rules like this:
> 
>> #These are intended to catch new worms and such scanning internally. Careful of falses.
>> #
>> alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:2001569; rev:13;)
> 
> The problem is that if you modify it to a '-> any any' rule its going to
> match all traffic.
> 
> The DDOS attacks you describe look like normal traffic flows; so its
> hard to detect it automatically.
> 
> What you could do is look at your traffic patterns and set the threshold
> to something well above your normal peak flows for any unique
> destination port.  Something like:
> 
>> alert tcp $EXTERNAL_NET $HOME_NET -> any 80 (msg:"LOCAL Potential HTTP DDOS, high traffic"; flags: S,12; threshold: type both, track by_src, count 1000, seconds 10; 
> 
> Ideally what you would want would be a rule that detected a large number
> of half-open connections to any unique port.  I don't believe suricata
> currently has this feature.  Snort has a portscan preprocessor that can
> be used to do this (I think).  See:
> 
> http://manual.snort.org/node17.html#SECTION00323000000000000000
> 
> Ideally you should only have a few ports open on your DMZ, so I
> personally would recommend just writing a few suricata rules as I
> described for whatever ports are exposed at your border.
> 
> -Coop
> 
> On 7/4/2013 9:17 AM, Michael Hoffrath wrote:
>> Hello,
> 
>> some time ago i was target of an ddos which has a very simple pattern, the source ip was random and spoofed but for all ddos clients the source and destination port was the same. Is there a way to write a rule that keeps track of source/destination port combinations and triggers if any combination happens several times?
> 
>> The problem is, that i don't know which source/destination port combination is used, so i can't use "alert any $SRC_PORT -> $DST $DST_PORT"
> 
>> Kind Regards
>> Michael
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR1baqAAoJEKIFRYQsa8FWIf8IAJf3nFYMZhAh4dCFwh61Ym0j
ah1VdCyZ6wPZqrVWcqfvFnj+f6ane58ZezjG7kpYtIvBfDWrvVnpAK8VQhcSVVUx
8o867DVyHSvHaB+ktiFJn/AHWXWE+L/FhWabXKzX+JrnoXUvC5GaGRBzo9bKEe9o
OzgEMOn5cSljy8MwEsHfmjbJmY80RWJNNMNbh8lcQ6pFJ5AJmBMC/v941GC/A/oz
v7qh7kUoFQs9ESVLSuCwSnx/HahDs1krW/UVFZ5XhAVz4VjDGCcOAuuducTR9Kzw
Ms+qbO6VEcSm3lXhZzn8M5vTNKwOQNM5gkM+1WqdrZDRyWyFfKZ0cQE0l1J7IJ8=
=umng
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list