[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Help with a rule
From: "Joel Esler (jesler)" <jesler () cisco ! com>
Date: 2013-12-10 21:22:13
Message-ID: 4C8FF910-9FA2-4F06-953E-B0F405ADF9FD () cisco ! com
[Download RAW message or body]
I think what you may be searching for is:
http://manual.snort.org/node33.html#SECTION004622000000000000000
stream_size.
--
Joel Esler
AEGIS Intelligence Lead
OpenSource Manager
Vulnerability Research Team
Jabber: jesler@cisco.com<mailto:jesler@cisco.com>
On Dec 10, 2013, at 1:53 PM, Y M <snort@outlook.com<mailto:snort@outlook.com>> wrote:
Hi Tyler,
I don't think you would be able to achieve this through rules. Dependent on the MTU \
at your network, packet payload will be constrained. For example, if the MTU is 1500 \
and you are looking at a TCP session , then your maximum payload will be 1460 \
excluding IP and TCP headers, given that no IP and TCP options are available in the \
packet. This is different for UDP and ICMP. Not to mention the OS's in use and \
fragmentation.
That said, Stream5 preprocessor may help. Specifically, the "max_queued_bytes" and \
"max_queued_segs". Also, look at the Stream5 readme in the Snort tarball (Stream \
API). I would assume that your Frag3 is also configured for the target OS's in use.
Thanks
YM
> Date: Tue, 10 Dec 2013 12:20:55 -0500
> From: tah338@sr.unh.edu<mailto:tah338@sr.unh.edu>
> To: snort-sigs@lists.sourceforge.net<mailto:snort-sigs@lists.sourceforge.net>
> Subject: [Snort-sigs] Help with a rule
>
> Hi,
>
> I'm fairly new to Snort, and was wondering if I could get assistance
> with writing a rule. Our Snort system is watching over a private network
> of several secure servers. One of the things we'd like to look for is
> large chunks of data being transferred off any of these servers. I'm
> trying to come up with a rule that alerts us any time there is some
> movement of data over, say, 10MB, but I'm not sure how to go about doing
> this. Any suggestions?
>
> Thanks!
>
> --
> Tyler MacPherson
> Student Operator
> UNH Research Computing Center
> (603) 862-4518
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net<mailto:Snort-sigs@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net<mailto:Snort-sigs@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org<http://www.snort.org/>
Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about \
Snort!
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;"> I think what you may be searching for is:
<div><br>
</div>
<div><a href="http://manual.snort.org/node33.html#SECTION004622000000000000000">http://manual.snort.org/node33.html#SECTION004622000000000000000</a></div>
<div><br>
</div>
<div>stream_size.</div>
<div><br>
</div>
<div><br>
</div>
<div><span style="font-family: 'Lucida Grande';">--</span><br>
<span style="font-family: 'Lucida Grande';"><b>Joel Esler</b></span><br>
<span style="font-family: 'Lucida Grande';">AEGIS Intelligence Lead</span><br>
<span style="font-family: 'Lucida Grande';">OpenSource Manager</span><br>
<span style="font-family: 'Lucida Grande';">Vulnerability Research Team</span><br>
<span style="font-family: 'Lucida Grande';">Jabber: <a \
href="mailto:jesler@cisco.com"> jesler@cisco.com</a></span></div>
<div><font face="Lucida Grande"><br>
</font>
<div>
<div>On Dec 10, 2013, at 1:53 PM, Y M <<a \
href="mailto:snort@outlook.com">snort@outlook.com</a>> wrote:</div> <br \
class="Apple-interchange-newline"> <blockquote type="cite">
<div class="hmmessage" style="font-size: 12pt; font-family: Calibri; font-style: \
normal; font-variant: normal; font-weight: normal; letter-spacing: normal; \
line-height: normal; orphans: auto; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; \
-webkit-text-stroke-width: 0px;"> <div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><span style="font-size: 12pt;">Hi Tyler,</span></div>
<div dir="ltr"><span style="font-size: 12pt;"><br>
</span></div>
<div dir="ltr"><span style="font-size: 12pt;">I don't think you would be able to \
achieve this through rules. Dependent on the MTU at your network, packet payload \
will be constrained. For example, if the MTU is 1500 and you are looking at a TCP \
session , then your maximum payload will be 1460 excluding IP and TCP headers, given \
that no IP and TCP options are available in the packet. This is different for UDP and \
ICMP. Not to mention the OS's in use and fragmentation. </span></div> <div \
dir="ltr"><br> </div>
<div dir="ltr">That said, Stream5 preprocessor may help. Specifically, the \
"max_queued_bytes" and "max_queued_segs". Also, look at the \
Stream5 readme in the Snort tarball (Stream API). I would assume that your Frag3 is \
also configured for the target OS's in use.<br>
<br>
Thanks</div>
<div dir="ltr">YM</div>
<div dir="ltr"><br>
<div>> Date: Tue, 10 Dec 2013 12:20:55 -0500<br>
> From:<span class="Apple-converted-space"> </span><a \
href="mailto:tah338@sr.unh.edu">tah338@sr.unh.edu</a><br> > To:<span \
class="Apple-converted-space"> </span><a \
href="mailto:snort-sigs@lists.sourceforge.net">snort-sigs@lists.sourceforge.net</a><br>
> Subject: [Snort-sigs] Help with a rule<br>
><span class="Apple-converted-space"> </span><br>
> Hi,<br>
><span class="Apple-converted-space"> </span><br>
> I'm fairly new to Snort, and was wondering if I could get assistance<span \
class="Apple-converted-space"> </span><br> > with writing a rule. Our Snort \
system is watching over a private network<span \
class="Apple-converted-space"> </span><br> > of several secure servers. One \
of the things we'd like to look for is<span \
class="Apple-converted-space"> </span><br> > large chunks of data being \
transferred off any of these servers. I'm<span \
class="Apple-converted-space"> </span><br> > trying to come up with a rule \
that alerts us any time there is some<span \
class="Apple-converted-space"> </span><br> > movement of data over, say, \
10MB, but I'm not sure how to go about doing<span \
class="Apple-converted-space"> </span><br> > this. Any suggestions?<br>
><span class="Apple-converted-space"> </span><br>
> Thanks!<br>
><span class="Apple-converted-space"> </span><br>
> --<span class="Apple-converted-space"> </span><br>
> Tyler MacPherson<br>
> Student Operator<br>
> UNH Research Computing Center<br>
> (603) 862-4518<br>
><span class="Apple-converted-space"> </span><br>
><span class="Apple-converted-space"> </span><br>
> ------------------------------------------------------------------------------<br>
> Rapidly troubleshoot problems before they affect your business. Most IT<span \
class="Apple-converted-space"> </span><br> > organizations don't have a clear \
picture of how application performance<span \
class="Apple-converted-space"> </span><br> > affects their revenue. With \
AppDynamics, you get 100% visibility into your<span \
class="Apple-converted-space"> </span><br> > Java,.NET, & PHP \
application. Start your 15-day FREE TRIAL of AppDynamics Pro!<br> > <a \
href="http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk">
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk</a><br>
> _______________________________________________<br>
> Snort-sigs mailing list<br>
> <a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a><br>
> <a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br>
> <a href="http://www.snort.org">http://www.snort.org</a><br>
><span class="Apple-converted-space"> </span><br>
><span class="Apple-converted-space"> </span><br>
> Please visit <a href="http://blog.snort.org">http://blog.snort.org</a> for the \
latest news about Snort!<br> </div>
</div>
</div>
</div>
</div>
------------------------------------------------------------------------------<br>
Rapidly troubleshoot problems before they affect your business. Most IT<span \
class="Apple-converted-space"> </span><br> organizations don't have a clear \
picture of how application performance<span \
class="Apple-converted-space"> </span><br> affects their revenue. With \
AppDynamics, you get 100% visibility into your<span \
class="Apple-converted-space"> </span><br> Java,.NET, & PHP application. \
Start your 15-day FREE TRIAL of AppDynamics Pro!<br> <a \
href="http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk_ \
______________________________________________">http://pubads.g.doubleclick.net/gampad \
/clk?id=84349831&iu=/4140/ostg.clktrk_______________________________________________</a><br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br>
<a href="http://www.snort.org/">http://www.snort.org</a><br>
<br>
<br>
Please visit<span class="Apple-converted-space"> </span><a \
href="http://blog.snort.org/">http://blog.snort.org</a><span \
class="Apple-converted-space"> </span>for the latest news about Snort!</div> \
</blockquote> </div>
<br>
</div>
</body>
</html>
[Attachment #4 (--===============8422362318174047811==)]
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic