[Oisf-users] tracking source and destination port
Michael
Hoffrath at gmx.de
Thu Jul 4 17:54:22 UTC 2013
Hello Coop,
thanks for your reply.
Am 04.07.2013 um 19:47 schrieb Cooper F. Nelson:
> ET has rules like this:
>
> > #These are intended to catch new worms and such scanning internally. Careful of falses.
> > #
> > alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:2001569; rev:13;)
>
> The problem is that if you modify it to a '-> any any' rule its going to
> match all traffic.
that is no problem, only the traffic of the attacked host will be forwarded to the suricata host (through ospf next hop).
>
> The DDOS attacks you describe look like normal traffic flows; so its
> hard to detect it automatically.
Do you think? I think it's very unusual that many different hosts uses the same source and destination port :)
>
> What you could do is look at your traffic patterns and set the threshold
> to something well above your normal peak flows for any unique
> destination port. Something like:
>
> > alert tcp $EXTERNAL_NET $HOME_NET -> any 80 (msg:"LOCAL Potential HTTP DDOS, high traffic"; flags: S,12; threshold: type both, track by_src, count 1000, seconds 10;
>
That is not an option as i really don't know what the destination port is.
> Ideally what you would want would be a rule that detected a large number
> of half-open connections to any unique port. I don't believe suricata
> currently has this feature. Snort has a portscan preprocessor that can
> be used to do this (I think). See:
>
> http://manual.snort.org/node17.html#SECTION00323000000000000000
>
ok that seems to be a good hint, thank you for this!
> Ideally you should only have a few ports open on your DMZ, so I
> personally would recommend just writing a few suricata rules as I
> described for whatever ports are exposed at your border.
It is not an dmz, we are talking about an datacenter enviroment ;)
>
> - -Coop
>
> On 7/4/2013 9:17 AM, Michael Hoffrath wrote:
> > Hello,
> >
> > some time ago i was target of an ddos which has a very simple pattern, the source ip was random and spoofed but for all ddos clients the source and destination port was the same. Is there a way to write a rule that keeps track of source/destination port combinations and triggers if any combination happens several times?
> >
> > The problem is, that i don't know which source/destination port combination is used, so i can't use "alert any $SRC_PORT -> $DST $DST_PORT"
> >
> > Kind Regards
> > Michael
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
>
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
More information about the Oisf-users
mailing list