Discussion and posting of new sigs, sig ideas, and much more. Also covers sigs in other IDS formats, realtime block lists, and more. ()

headers

Will Metcalf | 25 May 2013 01:12

Daily Ruleset Update Summary 05/24/2013

[***] Summary: [***]

8 new Open rules. 11 new Pro rules (8/11). HellSpawn EK, KaiXin, etc.

[+++] Added rules: [+++]

2016923 - ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013 (current_events.rules)

2016924 - ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013 (current_events.rules)

2016925 - ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013 (current_events.rules)

2016926 - ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013 (current_events.rules)

2016927 - ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013 (current_events.rules)

2016928 - ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013 (current_events.rules)

2016929 - ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013 (current_events.rules)

2016930 - ET CURRENT_EVENTS Possible HellSpawn EK Java Artifact May 24 2013 (current_events.rules)

Pro:

2806392 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.bczs Checkin (trojan.rules)

2806393 - ETPRO TROJAN Trojan.Siggen5.15498 Checkin (trojan.rules)

2806394 - ETPRO TROJAN Trojan.Win32.Agent.hwgs Checkin (trojan.rules)

[///] Modified active rules: [///]

2015575 - ET CURRENT_EVENTS KaiXin Exploit Kit Java Class (current_events.rules)

2016384 - ET WEB_SPECIFIC_APPS WordPress CommentLuv Plugin _ajax_nonce Parameter XSS Attempt (web_specific_apps.rules)

2016832 - ET CURRENT_EVENTS HellSpawn EK Requesting Jar (current_events.rules)

[---] Moved rules: [---]

Old:

2806284 - ETPRO TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)

New:

2016922 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)

<div><div dir="ltr">
<div>[***] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Summary: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[***]</div>
<div><br></div>
<div>8 new Open rules. 11 new Pro rules (8/11). HellSpawn EK, KaiXin, etc.&nbsp;</div>
<div><br></div>
<div>[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp; 2016923 - ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013 (current_events.rules)<br>
</div>
<div>&nbsp; 2016924 - ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013 (current_events.rules)</div>
<div>&nbsp; 2016925 - ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013 (current_events.rules)</div>
<div>&nbsp; 2016926 - ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013 (current_events.rules)</div>
<div>&nbsp; 2016927 - ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013 (current_events.rules)</div>
<div>&nbsp; 2016928 - ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013 (current_events.rules)</div>
<div>&nbsp; 2016929 - ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013 (current_events.rules)</div>
<div>&nbsp; 2016930 - ET CURRENT_EVENTS Possible HellSpawn EK Java Artifact May 24 2013 (current_events.rules)</div>
<div><br></div>
<div>&nbsp; Pro:</div>
<div>&nbsp; 2806392 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.bczs Checkin (trojan.rules)</div>
<div>&nbsp; 2806393 - ETPRO TROJAN Trojan.Siggen5.15498 Checkin (trojan.rules)</div>
<div>&nbsp; 2806394 - ETPRO TROJAN Trojan.Win32.Agent.hwgs Checkin (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2015575 - ET CURRENT_EVENTS KaiXin Exploit Kit Java Class (current_events.rules)</div>
<div>&nbsp; 2016384 - ET WEB_SPECIFIC_APPS WordPress CommentLuv Plugin _ajax_nonce Parameter XSS Attempt (web_specific_apps.rules)<br>
</div>
<div>&nbsp; 2016832 - ET CURRENT_EVENTS HellSpawn EK Requesting Jar (current_events.rules)</div>
<div><br></div>
<div>&nbsp;[---] &nbsp; &nbsp; &nbsp; &nbsp;Moved rules: &nbsp; &nbsp; &nbsp; &nbsp; [---]</div>
<div><br></div>
<div>&nbsp; Old:</div>
<div>&nbsp; 2806284 - ETPRO TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)</div>
<div><br></div>
<div>&nbsp; New:&nbsp;</div>
<div>&nbsp; 2016922 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)</div>
<div><br></div>
<div>&nbsp;&nbsp;</div>
</div></div>

headers

Josh Bitto | 24 May 2013 18:33

Fake Internet Version

I’m getting this signature coming in from a byod from a student.

[1:2016870:4] ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5

Where on earth are you guys getting the explanations for these? I can’t find anything that tells me in English what the threat is.

Joshua Bitto

<div>

<div>&nbsp;</div>
<div>I&rsquo;m getting this signature coming in from a byod from a student. </div>
<div>&nbsp;</div>
<div>[1:2016870:4]&nbsp; ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5</div>
<div>&nbsp;</div>
<div>Where on earth are you guys getting the explanations for these? I can&rsquo;t find anything that tells me in English what the threat is.</div>
<div>&nbsp;</div>
<div>Joshua Bitto</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>&nbsp;</div>

</div>

headers

Will Metcalf | 24 May 2013 02:38

Daily Ruleset Update Summary 05/23/2013

[+++] Summary: [+++]

3 new Open rules. 8 new Pro rules (3/5). Apache Struts, Malicious Redirect, Fake/Old UA thresholding changed to limit 2,60 from threshold of the same value we were missing some one shot requests. Again depending on your env you may need to tweak/turn these off. NGINX chunked sig, modified to look for any chunk greater than a 32 bit signed int. etc.

[+++] Added rules: [+++]

Open:
2016919 - ET CURRENT_EVENTS Malicious Redirect URL (current_events.rules)
2016920 - ET WEB_SERVER Apache Struts Possible xwork Disable Method Execution (web_server.rules)
2016921 - ET INFO Suspicious Mozilla UA with no Space after colon (info.rules)

Pro:
2806387 - ETPRO TROJAN Win32/TrojanDropper.Agent.PYN Checkin (trojan.rules)
2806388 - ETPRO TROJAN Trojan.Win32.Agent.vldg Checkin (trojan.rules)
2806389 - ETPRO MALWARE Win32/TrojanDownloader.Banload.SCN (malware.rules)
2806390 - ETPRO MALWARE Win32/TrojanDownloader.Banload.SCN 2 (malware.rules)
2806391 - ETPRO MALWARE Win32/Vog Request (malware.rules)

[///] Modified active rules: [///]

2016870 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. (policy.rules)
2016871 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4. (policy.rules)
2016872 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 3. (policy.rules)
2016873 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2. (policy.rules)
2016874 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 1. (policy.rules)
2016875 - ET POLICY Unsupported/Fake FireFox Version 0. (policy.rules)
2016876 - ET POLICY Unsupported/Fake FireFox Version 1. (policy.rules)
2016877 - ET POLICY Unsupported/Fake FireFox Version 2. (policy.rules)
2016878 - ET POLICY Unsupported/Fake Windows NT Version 4. (policy.rules)
2016879 - ET POLICY Unsupported/Fake Windows NT Version 5.0 (policy.rules)
2016897 - ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5 (trojan.rules)
2016898 - ET INFO Suspicious MSIE 10 on Windows NT 5 (info.rules)
2016918 - ET WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific (web_server.rules)

<div><div dir="ltr">
<div>
<span>[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Summary: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</span><br>
</div>
<div><span><br></span></div>
<div>3 new Open rules. 8 new Pro rules (3/5). Apache Struts, Malicious Redirect, Fake/Old UA thresholding changed to limit 2,60 from threshold of the same value we were missing some one shot requests. &nbsp;Again depending on your env you may need to tweak/turn these off. NGINX chunked sig, modified to look for any chunk greater than a 32 bit signed int. etc.</div>
<span><div><span><br></span></div>[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</span><br><br>&nbsp; Open:<br><span>&nbsp; 2016919 - ET CURRENT_EVENTS Malicious Redirect URL (current_events.rules)</span><br><span>&nbsp; 2016920 - ET WEB_SERVER Apache Struts Possible xwork Disable Method Execution (web_server.rules)</span><br><span>&nbsp; 2016921 - ET INFO Suspicious Mozilla UA with no Space after colon (info.rules)</span><div>
<br>
</div>
<div>&nbsp; Pro:<br><span>&nbsp; 2806387 - ETPRO TROJAN Win32/TrojanDropper.Agent.PYN Checkin (trojan.rules)</span><br><span>&nbsp; 2806388 - ETPRO TROJAN Trojan.Win32.Agent.vldg Checkin (trojan.rules)</span><br><span>&nbsp; 2806389 - ETPRO MALWARE Win32/TrojanDownloader.</span><span>Banload.SCN (malware.rules)</span><br><span>&nbsp; 2806390 - ETPRO MALWARE Win32/TrojanDownloader.</span><span>Banload.SCN 2 (malware.rules)</span><br><span>&nbsp; 2806391 - ETPRO MALWARE Win32/Vog Request (malware.rules)</span><br><br><br><span>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</span><br><br><span>&nbsp; 2016870 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. (policy.rules)</span><br><span>&nbsp; 2016871 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4. (policy.rules)</span><br><span>&nbsp; 2016872 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 3. (policy.rules)</span><br><span>&nbsp; 2016873 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2. (policy.rules)</span><br><span>&nbsp; 2016874 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 1. (policy.rules)</span><br><span>&nbsp; 2016875 - ET POLICY Unsupported/Fake FireFox Version 0. (policy.rules)</span><br><span>&nbsp; 2016876 - ET POLICY Unsupported/Fake FireFox Version 1. (policy.rules)</span><br><span>&nbsp; 2016877 - ET POLICY Unsupported/Fake FireFox Version 2. (policy.rules)</span><br><span>&nbsp; 2016878 - ET POLICY Unsupported/Fake Windows NT Version 4. (policy.rules)</span><br><span>&nbsp; 2016879 - ET POLICY Unsupported/Fake Windows NT Version 5.0 (policy.rules)</span><br><span>&nbsp; 2016897 - ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5 (trojan.rules)</span><br><span>&nbsp; 2016898 - ET INFO Suspicious MSIE 10 on Windows NT 5 (info.rules)</span><br><span>&nbsp; 2016918 - ET WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific (web_server.rules)</span><br>
</div>
</div></div>

headers

Josh Bitto | 24 May 2013 00:13

Wipmania

I’m getting this alert…

[1:2014304:2] ET POLICY External IP Lookup Attempt To Wipmania [Classification: Misc activity] [Priority: 3] {TCP}

Is this just a policy based thing or is there a particular reason why this rule was made. I don’t believe that wipmania is a bogus site.

Joshua Bitto

Information Technologist

KCC

<div>

<div>I&rsquo;m getting this alert&hellip;</div>
<div>&nbsp;</div>
<div>[1:2014304:2] ET POLICY External IP Lookup Attempt To Wipmania [Classification: Misc activity] [Priority: 3] {TCP}</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>Is this just a policy based thing or is there a particular reason why this rule was made. I don&rsquo;t believe that wipmania is a bogus site.</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>Joshua Bitto</div>
<div>Information Technologist</div>
<div>KCC</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>&nbsp;</div>

</div>

headers

rmkml | 23 May 2013 23:45

FN on sid 2016384 rev 1 ?

Hi,

Anyone check this sig please ?

because bid 57771 show:
<form action="http://www.example.com/wp-admin/admin-ajax.php" method="post" name="askform">
<input type="hidden" name="action" value="cl_ajax" />
<input type="hidden" name="do" value="fetch" />
<input type="hidden" name="url" value="1" />
<input type="hidden" name="_ajax_nonce" value='<script>alert(document.cookie);</script>'/>
<input type="submit" id="btn">
</form>

and sig are wrong:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress
CommentLuv Plugin _ajax_nonce Parameter XSS Attempt"; 
flow:established,to_server; content:"POST"; http_method; content:"/wp-admin/admin-ajax.php?"; 
nocase; http_uri; content:"_ajax_nonce="; nocase; http_uri;

pcre:"/\_ajax\_nonce\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; 
reference:url,securityfocus.com/bid/57771/; classtype:web-application-attack; sid:2016384; rev:1;)

_ajax_nonce are on http_client_body, not on http_uri.

Regards
 <at> Rmkml

headers

Peter Bates | 22 May 2013 11:50

Hits on SID 2016889 ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(wininetget/0.1)


Hello all

Since rolling this rule in this morning, we've 
had about 518 hits.

Destination IPs:

  4 101.226.161.228
      4 218.30.118.248
      7 101.226.161.227
      8 218.30.118.249
      9 171.8.167.9
    485 220.181.156.160

which all look to me to be sub-domains of 360.cn.

Example hits:

GET
/msg/sort?session=13692999508d80764b64971b16a0a60a7946b644cda204bd <at> desktop3c5778ee4ebd0b37465093f1430ea161&version=1.2.1 HTTP/1.1
Accept: */*
User-Agent: WinInetGet/0.1
Host: m.openapi.360.cn

GET
/zm/tmp.html?ins=0&auto=0&forbidden=0|0|0&qins=0&proid=-1&m=992d97f9c6c7b1cf4bdf634228317a46&pid=&appver= HTTP/1.1
Accept: */*
User-Agent: WinInetGet/0.1
Host: s.360.cn

--

-- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT

headers

Kevin Ross | 22 May 2013 00:27

SIG: ET TROJAN W32/Safe User Agent Fantasia

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Safe User Agent Fantasia"; flow:established,to_server; content:"User-Agent|3A| Fantasia|0D 0A|"; http_header; classtype:trojan-activity; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf; sid:139991; rev:1;)

Regards,
Kevin

<div><div dir="ltr">
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Safe User Agent Fantasia"; flow:established,to_server; content:"User-Agent|3A| Fantasia|0D 0A|"; http_header; classtype:trojan-activity; reference:url,<a href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf">www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf</a>; sid:139991; rev:1;)<br><br>
</div>Regards,<br>Kevin<br>
</div></div>

headers

James Lay | 21 May 2013 22:25

Blackrev C2 sigs

Enjoy:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Win.Trojan.BlackRev Rev 1 C2 Traffic"; content:"GET"; http_method; 
content:"gate.php|3f|reg="; http_uri; 
pcre:"/gate\x2ephp\x3freg=[a-z]{10}/m"; content:"User-Agent|3a| 
Mozilla/4.0 (compatible|3b| Synapse)|0d 0a|"; http_header; 
metadata:policy balanced-ips drop, policy security-ips drop, ruleset 
community service http;

reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; 
classtype:trojan-activity; sid:10000066; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Win.Trojan.BlackRev Rev 2 C2 Traffic"; content:"GET"; http_method; 
content:"gate.php|3f|reg="; http_uri; 
pcre:"/gate\x2ephp\x3freg=[a-z]{15}/mi"; content:"User-Agent|3a| 
Mozilla/4.0 (compatible|3b| SEObot)|0d 0a|"; http_header; 
metadata:policy balanced-ips drop, policy security-ips drop, ruleset 
community service http;

reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; 
classtype:trojan-activity; sid:10000067; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Win.Trojan.BlackRev Rev 3 C2 Traffic"; content:"GET"; http_method; 
content:"gate.php|3f|id="; http_uri; 
pcre:"/gate\x2ephp\x3fid=[a-z]{15}/mi"; content:"User-Agent|3a| 
Mozilla/4.0 (compatible|3b| SEObot)|0d 0a|"; http_header; 
metadata:policy balanced-ips drop, policy security-ips drop, ruleset 
community service http;

reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; 
classtype:trojan-activity; sid:10000068; rev:1;)

Lot's of good info on that reference link.

James

headers

Nathan | 21 May 2013 21:43

Re: I will try here....

On 05/21/2013 01:36 PM, Josh Bitto wrote:
> Yes....We use pfsense as our firewall and within that piece of software they have packages that you can
install and use within pfsense gui. I haven't done much as far as actually modifying the config from the
server level just changing settings within pfsense.

Don't know much about pfSense outside of using it as an Internet router -- I'm a
GNU/Linux guy, if http://doc.pfsense.org/index.php/Setup_Snort_Package isn't
helpful I'd recommend running an actual dedicated Snort/Suricata sensor on
either BSD or GNU/Linux with AF_PACKET.

Perhaps ask here
http://forum.pfsense.org/index.php?PHPSESSID=7ad38a85a6303546f30644ce454974e8&board=15.0
after reading http://forum.pfsense.org/index.php/topic,16847.0.html (dated)

Cheers,
Nathan

headers

Kevin Ross | 21 May 2013 20:26

SIG: ET TROJAN W32/Briba CnC POST Beacon

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Briba CnC POST Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index"; http_uri; content:".asp"; http_uri; content:"Accept-Language|3A| en-us"; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B|)"; http_header; content:"Host|3A| update.microsoft.com"; http_header; content:"Connection|3A| Keep-Alive"; http_header; content:"Content-Type|3A| text/html"; http_header; pcre:"/^\x2Findex[0-9]{9}\x2Easp$/U"; classtype:trojan-activity; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html; reference:url,citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf; sid:193881; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBriba.A; rev:1;)

Regards,
Kevin

<div><div dir="ltr">
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Briba CnC POST Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index"; http_uri; content:".asp"; http_uri; content:"Accept-Language|3A| en-us"; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B|)"; http_header; content:"Host|3A| <a href="http://update.microsoft.com">update.microsoft.com</a>"; http_header; content:"Connection|3A| Keep-Alive"; http_header; content:"Content-Type|3A| text/html"; http_header; pcre:"/^\x2Findex[0-9]{9}\x2Easp$/U"; classtype:trojan-activity; reference:url,<a href="http://www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html">www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html</a>; reference:url,<a href="http://citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf">citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf</a>; sid:193881; reference:url,<a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBriba.A">www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBriba.A</a>; rev:1;)<br><br>
</div>Regards,<br>Kevin<br>
</div></div>

headers

Josh Bitto | 21 May 2013 20:10

I will try here....

I know I probably should ask this question in this email subscription, but I am not getting any response in
another one...So I thought I would ask here since probably a fair amount of you use snort and could probably
help. Here is my issue...

Currently my internal network when looking at logs the ONLY thing that ever shows up is portscans. I can't
get anything else to fire. Is this due to a Home_net and External_net being setup wrong? My understanding
is if I list Home_net to "any" then snort should monitor that traffic. The reason I ask is....I'm finding it
difficult to track down bad users from internal to traffic that is coming from the internet. 

My wan interface only goes to my outside IP.  My internal interfaces (vlans) monitor each subnet that is
setup. It is partially working. I'm getting the basic functionality that I want, but I want to expand on
that and basically have this function.....If alert is "whatever" from outside IP and destination is
internal IP (OR vise versa) I want to be able to know who is doing it or on what machine.

210	May 2013
148	April 2013
154	March 2013
232	February 2013
226	January 2013
166	December 2012
143	November 2012
198	October 2012
191	September 2012
342	August 2012
361	July 2012
381	June 2012
410	May 2012
535	April 2012
680	March 2012
309	February 2012
359	January 2012
290	December 2011
274	November 2011
369	October 2011
322	September 2011
494	August 2011
517	July 2011
629	June 2011
436	May 2011
647	April 2011
700	March 2011
433	February 2011
452	January 2011
490	December 2010
579	November 2010
703	October 2010
507	September 2010
430	August 2010
443	July 2010
293	June 2010
309	May 2010
305	April 2010
653	March 2010
498	February 2010
692	January 2010
496	December 2009
315	November 2009
440	October 2009
508	September 2009
227	August 2009
373	July 2009
120	June 2009
2	May 2009

Mon	Tue	Wed	Thu	Fri	Sat	Sun

		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31