[Oisf-users] Question about the Detection posibilities

Cooper F. Nelson cnelson at ucsd.edu
Mon Mar 30 17:10:05 UTC 2015

Hash: SHA1

The suricata engine is primarily rule (vs. behavior) based, but that
doesn't mean you can't write rules to detect scanning.

For example, I have these local rules that detect high volumes of SYN
floods both to and from our home network:

> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL DOS Unusually fast SYN packets inbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:5;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL DOS Unusually fast SYN packets outbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:6;)

These are based on an ET open rule to detect potential SSH scans:

> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan";  flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:19;)

In turn, this method should be able to be leveraged to detect any
network-based anomaly, assuming it can be easily described.

I've also done a lot of work putting together an expert system/inference
engine that post-processes the suricata alerts file and looks for
anomalous behavior.  So, while you may not be able to always write a
single rule to define an anomalous behavior efficiently, you can often
infer that by looking at the patterns of rules that are generated.

The only thing I've wanted to do (but haven't figured out yet), is to be
able to detect a new user-agent from a client in an automated fashion.
I can do this by post-processing the HTTP log file, but ideally I would
want this to show up in the alert file, as it would be a great way to
detect new malware variants from existing EK alerts.

- -Coop

On 3/30/2015 2:38 AM, Nick de Bruijn wrote:
> Hello oisf-users,
> I was wondering if you could help me to find the answer of my question.
> I'm wondering if there are any possibilities (or plug-ins), for Suricata
> to scan on network behavior to detect attacks (anomaly based scanning).
> Or is Suricata bound to Signatures / rules (missuse  based scanning).
> You would very much help me to answer this question.
> Kind regards,
> Nick
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list