While this thread is a little off-topic, here is an interesting idea. We have a Labrea machine on a few of our Class C's with available addresses. I'm curious what other's might think or any "proof-of-concept" out there. http://archives.neohapsis.com/archives/firewalls/2001-q3/1091.html Rob Keown -----Original Message----- From: Nathan W. Labadie [mailto:ab0781at_private] Sent: Sunday, September 30, 2001 5:33 PM To: incidentsat_private Subject: slowing down the spread of worms Is anyone else using the "flexible response" feature of snort to slow down the spread of recent worms? I've been testing it and so far it appears to be extremely effective. More information here: http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.22 I'm currently running snort against a mirror of all the traffic for two class b subnets (academic environment). Ever since the release of codered, attempting to keep up with the number of IIS-related alerts is impossible. There simply isn't the resources to parse through 100,000+ alerts at the end of the day. An unpatches IIS machine placed on the network would usually become infected with either nimda or codered within 6-12 hours. Using "flexible response" seems to be a feasable way to slow things down a bit. Here's a few of the rules from snort.conf: ---snip--- var RESP_TCP resp:rst_all var RESP_UDP resp:icmp_all pass tcp $EXTERNAL_NET any -> $INSIDE 80 ($RESP_TCP; msg:"WEB-IIS cmd.exe access (FlexRsp)"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1;) pass tcp $EXTERNAL_NET any -> $INSIDE 80 ($RESP_TCP; msg:"WEB-IIS CodeRed v2 root.exe access (FlexRsp)"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype: attempted-admin; sid: 1256; rev: 1;) ---snip--- Now you might be wondering why I'd use "pass" for these rules. As I mentioned above, there simply isn't the resources to go through all of the alerts at the end of the day. When "pass" is used, snort still executes $RESP_TCP each time it sees a request for root.exe or command.exe, it just doesn't generate an alert. Before using flexresp (connection _is_ established): [root@scanner root]# wget http://XXX.XXX.XXX.XXX/cmd.exe --17:23:20-- http://XXX.XXX.XXX.XXX/cmd.exe => `cmd.exe' Connecting to XXX.XXX.XXX.XXX:80... connected! HTTP request sent, awaiting response... 404 Not Found 17:23:20 ERROR 404: Not Found. After enabling flexresp: --17:26:02-- http://XXX.XXX.XXX.XXX/cmd.exe (try: 2) => `cmd.exe' Connecting to XXX.XXX.XXX.XXX:80... connected! HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers. Essentially, snort is able to (silently) terminate all incoming requests for cmd.exe and root.exe. Hope this helps, Nate -- Nathan W. Labadie | ab0781at_private Sr. Security Specialist | 313/577.2126 Wayne State University | 313/577.5626 fax C&IT Security Office: http://security.wayne.edu ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 30 2001 - 17:04:59 PDT