NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2000-03

Subject: Re: [snort] Plugin to call external programs!
From: Martin Roesch (roeschhiverworld.com)
Date: Mon Mar 06 2000 - 22:20:45 CST

Next message: Martin Roesch: "Re: [snort] Updated snort_stat.pl"
Previous message: Martin Roesch: "Re: [snort] Closing -b log file"
In reply to: Fabio Bastiglia Oliva: "[snort] Plugin to call external programs!"
Next in thread: John Wilson: "Re: [snort] Scripting Snort (sort of)"
Reply: Martin Roesch: "Re: [snort] Plugin to call external programs!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Isn't this a FAQ? Check the web page for my feelings on external
execution of binaries. You might want to look at Guardian if you just
want to dynamically reconfigure your firewall based on Snort alerts
<cringe>......

Fabio Bastiglia Oliva wrote:
>
> Hello guys,
>
> Well... As usual, sorry about my bad english!
>
> Some time ago I brought an idea to create a especific plugin to
> call a external program... This plugin could add rules to a firewall or
> call any external program like a pager or something... I don't know if
> someone remember this?
>
> Something like this:
>
> action AC1 "ipchains -A input -j REJECT -s $origin_IP -d 0/0 -l"
> action AC2 "bip operator code \"Something detected from $origin_IP\" "
> action AC3 "echo \"ipchains -D input -j REJECT -s $origin_IP -d 0/0 -l\"
> >file; at now + 30 minutes -f file"
>
> Then... this could be used this way:
>
> alert tcp !$HOME_NET any -> $HOME_NET 2583 (msg:"BACKDOOR SIGNATURE -
> WinCrash 2.0 Connection"; flags:PA; content:"WinCrash Server
> 2.0";$AC1;AC2;AC3;)
>
> Hmmm... anyone got the idea???
>
> This could be VERY usefull now that we're extracting some
> backdoor signatures, also as overflow signatures!
>
> To avoid denial of service, (if someone is wondering to use this method
> to block any other kind of attack)this method could use some kind of
> IP_address_ignore_list... using a external file or inside the rules!
>
> Any ideas???
>
> Best regards
> -------------------------------
> Fabio Bastiglia Oliva - Diretor
> fbolivasafenetworks.com
>
> Safe Networks Informatica LTDA.
> http://www.safenetworks.com

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment

Next message: Martin Roesch: "Re: [snort] Updated snort_stat.pl"
Previous message: Martin Roesch: "Re: [snort] Closing -b log file"
In reply to: Fabio Bastiglia Oliva: "[snort] Plugin to call external programs!"
Next in thread: John Wilson: "Re: [snort] Scripting Snort (sort of)"
Reply: Martin Roesch: "Re: [snort] Plugin to call external programs!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]