[Oisf-users] Question about the Detection posibilities
Cooper F. Nelson
cnelson at ucsd.edu
Mon Mar 30 17:10:05 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The suricata engine is primarily rule (vs. behavior) based, but that
doesn't mean you can't write rules to detect scanning.
For example, I have these local rules that detect high volumes of SYN
floods both to and from our home network:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL DOS Unusually fast SYN packets inbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:5;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL DOS Unusually fast SYN packets outbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:6;)
These are based on an ET open rule to detect potential SSH scans:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:19;)
In turn, this method should be able to be leveraged to detect any
network-based anomaly, assuming it can be easily described.
I've also done a lot of work putting together an expert system/inference
engine that post-processes the suricata alerts file and looks for
anomalous behavior. So, while you may not be able to always write a
single rule to define an anomalous behavior efficiently, you can often
infer that by looking at the patterns of rules that are generated.
The only thing I've wanted to do (but haven't figured out yet), is to be
able to detect a new user-agent from a client in an automated fashion.
I can do this by post-processing the HTTP log file, but ideally I would
want this to show up in the alert file, as it would be a great way to
detect new malware variants from existing EK alerts.
- -Coop
On 3/30/2015 2:38 AM, Nick de Bruijn wrote:
> Hello oisf-users,
>
> I was wondering if you could help me to find the answer of my question.
>
> I'm wondering if there are any possibilities (or plug-ins), for Suricata
> to scan on network behavior to detect attacks (anomaly based scanning).
> Or is Suricata bound to Signatures / rules (missuse based scanning).
>
> You would very much help me to answer this question.
>
> Kind regards,
> Nick
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJVGYNtAAoJEKIFRYQsa8FWbvwH/jNbhXEn+BLFEJAyLkunzbF7
BgCZWb9FZfIIAha1ejhF88t66uPZQ16QUn/VF77jx80FKUnpngIjg1ioUrIEHDtg
fqeC81o0F1R7ttjlDmQq9a27fRLuh5hDdxDq+DJ7jAA4HHtC71I7AUB4llDwVPRI
R4dIZC9USlS/g6suaBz9m1YA58kMADXVWABR/UjdVdX6ZITkTjHxw4CUg3Q7kwnT
GLQGCl8pNmcRqdeVwNyW8L5x5lQflEeCqnVYpRjm/9gCPNoYN9/rID4Nx6DWzIRK
hY/8zZx9FOi804MsvEXgwhzXnlhVI6lEtFFVuJOT7twUIUhGyvz46VfznWQicfY=
=QODd
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list