[Oisf-users] Question about the Detection posibilities

Gary Faulkner gfaulkner.nsm at gmail.com
Tue Mar 31 02:15:10 UTC 2015


I'm wondering if a slight variation on those sigs to 'track by_src' 
would detect potential scans/DOS where there is 1 source and multiple 
targets? Also I'm wondering if it is at all desirable to change the 
flags section based on RFC 3168 or if it has no practical effect on the 
rule?

 From the Snort manual (guessing this could apply to Suricata as well):

The reserved bits '1' and '2' have been replaced with 'C' and 'E', 
respectively, to match RFC 3168, "The Addition of Explicit Congestion 
Notification (ECN) to IP". The old values of '1' and '2' are still valid 
for theflagkeyword, but are now deprecated.

Regards,
Gary

On 3/30/2015 12:10 PM, Cooper F. Nelson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The suricata engine is primarily rule (vs. behavior) based, but that
> doesn't mean you can't write rules to detect scanning.
>
> For example, I have these local rules that detect high volumes of SYN
> floods both to and from our home network:
>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL DOS Unusually fast SYN packets inbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:5;)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL DOS Unusually fast SYN packets outbound, Potential DOS"; flags: S,12; threshold: type both, track by_dst, count 5000, seconds 5; classtype:misc-activity; sid:6;)
> These are based on an ET open rule to detect potential SSH scans:
>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan";  flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:19;)
> In turn, this method should be able to be leveraged to detect any
> network-based anomaly, assuming it can be easily described.
>
> I've also done a lot of work putting together an expert system/inference
> engine that post-processes the suricata alerts file and looks for
> anomalous behavior.  So, while you may not be able to always write a
> single rule to define an anomalous behavior efficiently, you can often
> infer that by looking at the patterns of rules that are generated.
>
> The only thing I've wanted to do (but haven't figured out yet), is to be
> able to detect a new user-agent from a client in an automated fashion.
> I can do this by post-processing the HTTP log file, but ideally I would
> want this to show up in the alert file, as it would be a great way to
> detect new malware variants from existing EK alerts.
>
> - -Coop
>
> On 3/30/2015 2:38 AM, Nick de Bruijn wrote:
>> Hello oisf-users,
>>
>> I was wondering if you could help me to find the answer of my question.
>>
>> I'm wondering if there are any possibilities (or plug-ins), for Suricata
>> to scan on network behavior to detect attacks (anomaly based scanning).
>> Or is Suricata bound to Signatures / rules (missuse  based scanning).
>>
>> You would very much help me to answer this question.
>>
>> Kind regards,
>> Nick
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
>>
>
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJVGYNtAAoJEKIFRYQsa8FWbvwH/jNbhXEn+BLFEJAyLkunzbF7
> BgCZWb9FZfIIAha1ejhF88t66uPZQ16QUn/VF77jx80FKUnpngIjg1ioUrIEHDtg
> fqeC81o0F1R7ttjlDmQq9a27fRLuh5hDdxDq+DJ7jAA4HHtC71I7AUB4llDwVPRI
> R4dIZC9USlS/g6suaBz9m1YA58kMADXVWABR/UjdVdX6ZITkTjHxw4CUg3Q7kwnT
> GLQGCl8pNmcRqdeVwNyW8L5x5lQflEeCqnVYpRjm/9gCPNoYN9/rID4Nx6DWzIRK
> hY/8zZx9FOi804MsvEXgwhzXnlhVI6lEtFFVuJOT7twUIUhGyvz46VfznWQicfY=
> =QODd
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150330/8fd75f7a/attachment-0002.html>


More information about the Oisf-users mailing list