Re: [Snort-users] RE: Network Behaviour Anomoly Detection

From: pieter claassen (pieter_at_countersnipe.com)
Date: 06/26/04

  • Next message: Bamm Visscher: "Sguil-0.5.0 Released" 
    To: Martin Roesch <roesch@sourcefire.com>
Date: Sat, 26 Jun 2004 14:02:43 +0100

    As a first cut I can think of the following anomalous events that might
    be interesting:

    1. Changes in spread of connections from source/to destination to
    services over a specific time period. (i.e. there are new requests which
    makes your environment look differently from what it was)
    2. Changes in volume from source/to destination going to services over a
    specific time period. (i.e. resource abuse or successful compromise)

    How would the logic be implemented? Can this be done through the
    existing rule syntax?

    sample rules:

    alert tcp any any -> $WEBSERVERS any (msg:"Somebody is probing our
    servers" ; anomaly:"ports > 20/min" )
     - A match would indicate a quantitative increase in connections to more
    than 20/min to a webserver

    alert tcp any any -> $WEBSERVERS any (msg:"Sudden increase in
    consumption"; anomaly:"volume > 20%/min" )
     - A match would indicate a qualitative increase in volume of traffic
    being requested from a service

    alert tcp any any <> any any (msg:"Client is making a whole lot of new
    connections and getting loads of data back"; anomaly:"volume_per_con >
    20%/min AND ports > 20%/min" )
    - A match would indicate that a client is originating new connections
    and getting data back

    Isn't the first option just the portscan preprocessor in a different
    from?

    Is there another way to "program" the preprocessor in this case?

    Pieter

    On Thu, 2004-06-24 at 20:25, Martin Roesch wrote:
    > Hi Mike,
    >
    > > Anyone interested in starting up an opensource project to build
    > > something
    > > like this?
    >
    > FYI, Snort's stream4 module (and the new spp_flow) module is capable of
    > logging the stats you mention for any flow that is observed,
    > specifically start/stop time, src/dst IPs and ports, number of packets
    > and number of bytes transferred, as well as IDS event stats and any
    > other flags you care to hang off of them. For example, along with the
    > flow record you could record the number of IDS events that fired for a
    > given flow as well as any anomalies that were detected on that flow
    > (e.g. fragmentation/tcp protocol anomalies, etc).
    >
    > Snort's got 50% of what you want already, you could implement the
    > anomaly detection as a preprocessor if you were so inclined...

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

  • Next message: Bamm Visscher: "Sguil-0.5.0 Released"