OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Composite Patterns
From: Elliot Turner (eturnerINTRUSION.COM)
Date: Wed Nov 29 2000 - 10:33:59 CST

Jacob,

Here's some example SNP-L code to detect 'N' inbound UDP packets/sec.

This is just some quick example code that I wrote today during lunch,
nothing more.
Have fun,

Elliot Turner

-----Original Message-----

Could you write a rule that would detect n inbound udp packets per second?

----------Attached----->

SNP-L Code:

        /* actual flood detection code. very simple example detects N
         * udp packets to a destination IP address. triggers an alarm if
         * N (or more) packets are sent to a host within a 1 second span
         * of time.
         */
int16 lookFor_N_inboundUDPpacketsPerSec(u_int32 curTimeSec)
{
        u_int32 (dst_ip_addr) udpCount;
        u_int32 (dst_ip_addr) udpCountTime;
        int16 (dst_ip_addr) udpCountFlag;
        u_int32 numUDPsec;
        u_int32 diffSeconds;

                /* initialize flood detection variables for this destination
                  * ip address */
        if (udpCountFlag == 0)
        {
                udpCountFlag = 1;

                udpCountTime = curTimeSec;

                udpCount = udpCount + 1;
        }
        else
        {
                        /* increment flood counter */
                udpCount = udpCount + 1;
                
                        /* if at least one second has passed */
                if (curTimeSec > udpCountTime)
                {
                                /* calculate number of passed seconds */
                        diffSeconds = curTimeSec - udpCountTime;

                                /* calculate number of inbound UDP packets
                                 * per second */
                        numUDPsec = udpCount / diffSeconds;

                                /* if number of inbound packets exceeds the
                                 * threshold (in this case, 1000
packets/sec)
                                 * trigger a response
                                 */
                        if (numUDPsec >= 1000)
                        {
                                module_trigger("Host Received N UDP
Packets");
                        }

                                /* reset flood counters */
                        udpCount = 0;

                        udpCountTime = curTimeSec;
                }
        }
}

int16 examineInboundUDPpacket(u_int32 *curTimeSec,
                              int16 *dstIPMonitoredFlag)
{
                /* only search for floods if the destination host is
configured
                 * as a 'protected' internal host. we don't want to go off
                 * detecting UDP floods for WWW clients that access our
public
                 * servers, or other random internet hosts */
        if (dstIPMonitoredFlag[0] == 1)
        {
                lookFor_N_inboundUDPpacketsPerSec(curTimeSec[0]);
        }
}

        /* declare this function as public, so that it may be called from
         * the SecureNet Pro Monitoring Engine */
public examineInboundUDPpacket;

        /* map the current time (in seconds) that a packet was received, and
         * the 'protected internal host' flag for the destination ip address
         * to variables passed into the 'examineInboundUDPpacket' function.
         */
passer examineInboundUDPpacket(current_time_sec, dstip_monitored);

Module Definitions:

--Module-Begin--
Name: Example UDP Flood Decoder
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 2
Analysis-Script: examineInboundUDPpacket
Action: 4
---Module-End---
--Module-Begin--
Name: Host Received N UDP Packets
Group: Miscellaneous
Active-Flag: 1
Priority: 3
Input-Source: 12
Action: 4
Log-Message: UDP flood to ~DSTIP
---Module-End---

-----Original Message-----
From: Jacob Martinson [mailto:jmartinsonAPERIAN.COM]
Sent: Tuesday, November 28, 2000 10:42 AM
To: FOCUS-IDSSECURITYFOCUS.COM
Subject: Re: Composite Patterns

Could you write a rule that would detect n inbound udp packets per second?

-----Original Message-----
From: Martin Roesch [mailto:roeschmd.prestige.net]
Sent: Tuesday, November 28, 2000 10:24 AM
To: Jacob Martinson
Cc: FOCUS-IDSSECURITYFOCUS.COM
Subject: Re: Composite Patterns

Actually, Snort *does* do composite patterns within a single rule. Is this
what you're looking for, or are you talking about multi-rule composites?
Multi-rule composites is something that's in the works...

     -Marty

Jacob Martinson wrote:
>
> I am trying to find a decent NIDS that can detect fraggle, tfn, trinoo
etc.
> Snort doesn't do composite patterns at this point and NetRanger requires
> that you run OpenView on the management console (as far as I can tell).
> Does anyone have any recommendations?
>
> My ultimate goal is something that will alert me as quickly as possible
when
> we are experiencing a dos attack.
>
> Thanks for any input!
>
> Jacob Martinson
>
> ---
> BSD Unix - the first operating system with an IP stack. 

--
Martin Roesch
roeschmd.prestige.net
http://www.snort.org