Traffic Management Mailing List: RE: Best way of utilising SNOR

From: Peter Phaal <peter.phaal@inmon.com>
Date: 04/13/06
Message-Id: <200604131650.k3DGoPLm000834@zeus.inmon.com>

Traffic Sentinel currently assumes that you are maintaining the rule file
outside the product. Adding rules is a matter of appending them to the
external version of the rule file and re-submitting the file using the
Signatures>Configure menu.

Currently there is no single source of rules that are automatically
applicable to InMon Traffic Sentinel. Most rules are defined from the
perspective of a firewall trying to filter incoming threats. Sentinel is
examining traffic behind the firewall, so you are only really interested in
rules that can be used to identify internal compromised hosts, or
unauthorized activity.

In addition, rules that involve deep inspection of packets or analyzing
sequences of packets are not supported since Traffic Sentinel uses sFlow
(packets are sampled and only the header is available - typically first 128
bytes).

We have extended the SNORT threshold mechanism to make it easy to detect
scanning behavior (many worms are easily detected by looking for scanning
behavior). The following rule raises an alert as soon as any local host is
detected pinging more than 5 hosts in less than 10 minutes:

alert icmp $HOME_NET any -> $HOME_NET any \
(\
  msg:"ICMP echo scan";\
  threshold: type scan, track by_src, count 5, seconds 600;\
  classtype:network-scan;\
  sid: 580002001;\
  rev:1;\
)

Another useful application for the rule engine is enforcing local policies.
For example you might have a rule that alerts if anyone (other than
authorized servers) responds to DHCP requests. Using SNORT rules in this way
is very similar to authoring ACL lists.

Any suggestions for improving rule management in Sentinel are welcome. Also
this mailing list would be a good forum for sharing rules that have been
found to be useful.

Finally, the new reporting system in Sentinel provides a powerful way of
detecting suspicious traffic patterns that are hard to express as packet
signatures. Reports can also generate alerts.

Peter

-----Original Message-----
From: owner-traffic-management@inmon.com
[mailto:owner-traffic-management@inmon.com] On Behalf Of SCOTT Jason,
Network Engineer
Sent: Thursday, April 13, 2006 12:07 AM
To: traffic-management@inmon.com
Subject: [traffic-management] Best way of utilising SNORT rules?

With Traffic Sentinel, what is the best way of utilising SNORT rules? Is it
possible to update TS with new rules as they come about? If so can you
append
the rules or is it necessary to create a completely new rules file?

Regards,

Jason Scott
Received on Thu Apr 13 09:50:31 2006

RE: Best way of utilising SNORT rules?