OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: [snort] Plugin to call external programs!
From: Fabio Bastiglia Oliva (fbolivasafenetworks.com)
Date: Mon Mar 06 2000 - 17:38:53 CST

Hello guys,

        Well... As usual, sorry about my bad english!

        Some time ago I brought an idea to create a especific plugin to
call a external program... This plugin could add rules to a firewall or
call any external program like a pager or something... I don't know if
someone remember this?

        Something like this:

action AC1 "ipchains -A input -j REJECT -s $origin_IP -d 0/0 -l"
action AC2 "bip operator code \"Something detected from $origin_IP\" "
action AC3 "echo \"ipchains -D input -j REJECT -s $origin_IP -d 0/0 -l\"
>file; at now + 30 minutes -f file"

        Then... this could be used this way:

alert tcp !$HOME_NET any -> $HOME_NET 2583 (msg:"BACKDOOR SIGNATURE -
WinCrash 2.0 Connection"; flags:PA; content:"WinCrash Server
2.0";$AC1;AC2;AC3;)

        Hmmm... anyone got the idea???

        This could be VERY usefull now that we're extracting some
backdoor signatures, also as overflow signatures!

        To avoid denial of service, (if someone is wondering to use this method
to block any other kind of attack)this method could use some kind of
IP_address_ignore_list... using a external file or inside the rules!

        Any ideas???

Best regards
-------------------------------
Fabio Bastiglia Oliva - Diretor
fbolivasafenetworks.com

Safe Networks Informatica LTDA.
http://www.safenetworks.com