[Oisf-users] tracking source and destination port

Michael Hoffrath at gmx.de
Thu Jul 4 17:54:22 UTC 2013

Hello Coop,

thanks for your reply.

Am 04.07.2013 um 19:47 schrieb Cooper F. Nelson:

> ET has rules like this:
> > #These are intended to catch new worms and such scanning internally. Careful of falses.
> > #
> > alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:2001569; rev:13;)
> The problem is that if you modify it to a '-> any any' rule its going to
> match all traffic.

that is no problem, only the traffic of the attacked host will be forwarded to the suricata host (through ospf next hop).

> The DDOS attacks you describe look like normal traffic flows; so its
> hard to detect it automatically.

Do you think? I think it's very unusual that many different hosts uses the same source and destination port :)

> What you could do is look at your traffic patterns and set the threshold
> to something well above your normal peak flows for any unique
> destination port.  Something like:
> > alert tcp $EXTERNAL_NET $HOME_NET -> any 80 (msg:"LOCAL Potential HTTP DDOS, high traffic"; flags: S,12; threshold: type both, track by_src, count 1000, seconds 10; 

That is not an option as i really don't know what the destination port is.

> Ideally what you would want would be a rule that detected a large number
> of half-open connections to any unique port.  I don't believe suricata
> currently has this feature.  Snort has a portscan preprocessor that can
> be used to do this (I think).  See:
> http://manual.snort.org/node17.html#SECTION00323000000000000000

ok that seems to be a good hint, thank you for this!

> Ideally you should only have a few ports open on your DMZ, so I
> personally would recommend just writing a few suricata rules as I
> described for whatever ports are exposed at your border.

It is not an dmz, we are talking about an datacenter enviroment ;)

> - -Coop
> On 7/4/2013 9:17 AM, Michael Hoffrath wrote:
> > Hello,
> > 
> > some time ago i was target of an ddos which has a very simple pattern, the source ip was random and spoofed but for all ddos clients the source and destination port was the same. Is there a way to write a rule that keeps track of source/destination port combinations and triggers if any combination happens several times?
> > 
> > The problem is, that i don't know which source/destination port combination is used, so i can't use "alert any $SRC_PORT -> $DST $DST_PORT"
> > 
> > Kind Regards
> > Michael
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> > 
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042

More information about the Oisf-users mailing list