[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: RE: slowing down the spread of worms
From: Rob Keown <Keown () MACDIRECT ! COM>
Date: 2001-09-30 23:57:44
[Download RAW message or body]
While this thread is a little off-topic, here is an interesting idea. We
have a Labrea machine on a few of our Class C's with available addresses.
I'm curious what other's might think or any "proof-of-concept" out there.
http://archives.neohapsis.com/archives/firewalls/2001-q3/1091.html
Rob Keown
-----Original Message-----
From: Nathan W. Labadie [mailto:ab0781@wayne.edu]
Sent: Sunday, September 30, 2001 5:33 PM
To: incidents@securityfocus.com
Subject: slowing down the spread of worms
Is anyone else using the "flexible response" feature of snort to slow
down the spread of recent worms? I've been testing it and so far it
appears to be extremely effective. More information here:
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.22
I'm currently running snort against a mirror of all the traffic for two
class b subnets (academic environment). Ever since the release of
codered, attempting to keep up with the number of IIS-related alerts is
impossible. There simply isn't the resources to parse through 100,000+
alerts at the end of the day. An unpatches IIS machine placed on the
network would usually become infected with either nimda or codered
within 6-12 hours. Using "flexible response" seems to be a feasable way
to slow things down a bit.
Here's a few of the rules from snort.conf:
---snip---
var RESP_TCP resp:rst_all
var RESP_UDP resp:icmp_all
pass tcp $EXTERNAL_NET any -> $INSIDE 80 ($RESP_TCP; msg:"WEB-IIS
cmd.exe access (FlexRsp)"; flags: A+; content:"cmd.exe"; nocase;
classtype:attempted-user; sid:1002; rev:1;)
pass tcp $EXTERNAL_NET any -> $INSIDE 80 ($RESP_TCP; msg:"WEB-IIS
CodeRed v2 root.exe access (FlexRsp)"; flags: A+;
uricontent:"scripts/root.exe?"; nocase; classtype: attempted-admin;
sid: 1256; rev: 1;)
---snip---
Now you might be wondering why I'd use "pass" for these rules. As I
mentioned above, there simply isn't the resources to go through all of
the alerts at the end of the day. When "pass" is used, snort still
executes $RESP_TCP each time it sees a request for root.exe or
command.exe, it just doesn't generate an alert.
Before using flexresp (connection _is_ established):
[root@scanner root]# wget http://XXX.XXX.XXX.XXX/cmd.exe
--17:23:20-- http://XXX.XXX.XXX.XXX/cmd.exe
=> `cmd.exe'
Connecting to XXX.XXX.XXX.XXX:80... connected!
HTTP request sent, awaiting response... 404 Not Found
17:23:20 ERROR 404: Not Found.
After enabling flexresp:
--17:26:02-- http://XXX.XXX.XXX.XXX/cmd.exe
(try: 2) => `cmd.exe'
Connecting to XXX.XXX.XXX.XXX:80... connected!
HTTP request sent, awaiting response...
Read error (Connection reset by peer) in headers.
Essentially, snort is able to (silently) terminate all incoming
requests for cmd.exe and root.exe.
Hope this helps,
Nate
--
Nathan W. Labadie | ab0781@wayne.edu
Sr. Security Specialist | 313/577.2126
Wayne State University | 313/577.5626 fax
C&IT Security Office: http://security.wayne.edu
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic