Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
3
Replies

Create signature for outbound TCP/UDP traffic

dpatkins
Level 1
Level 1

‎05-25-2004 08:26 AM - edited ‎03-09-2019 07:30 AM

I want to create a signature that is TCP/UDP based which will tell if there is possible infected machines that go from our local addressing to the public side of the internet. I would liek to configure it to where it would alarm us in teh event that the signature has been triggered 300 times in a 10 - 30 second span. Can this be done? I have built a signature through ATOMIC.TCP engine that I thought would handle it since it allowed me to input source IP addresses. Any ideas? Thank you

Labels:
0 Helpful
3 Replies 3

dblairii
Level 1
Level 1

‎05-28-2004 11:10 AM

The short answer is yes.

Since you did not describe what infection you are looking for, I will assume Sasser.

I setup a custom Atomic.TCP sig that looks for traffic on port 445, and looks something like this:

AlarmThrottle: GlobalSummarize

DestPort: 445

MinHits: 200

ResetAfterIdle: 30

Now because of MY network architecture, I never saw port 445 on this particular sensor (unless a host was infected), so it was simple - I didn't require a filter. However, I will assume that you will see 'normal' 445 traffic on your sensor (and thus WILL need a filter).

You can create a filter though, that eliminates 'Inside' to 'Inside' (local) traffic, using the $IN variable in your filter as your destination IP. Then you should only see alarms with an "Out" destination. That should give you alarms with hosts generating 445 destination traffic going from your LAN to the Inet only. Hope that helps...

0 Helpful

dpatkins
Level 1
Level 1
In response to dblairii

‎06-01-2004 05:58 AM

I am rather new at this signature stuff as well as filtering. How do you use the $IN variable and where is it all located? Thanks for your help.

0 Helpful

dblairii
Level 1
Level 1
In response to dpatkins

‎06-01-2004 06:07 AM

You can use the CLI to create your variables, or you can use (the easier way) IDM. Just log in as an administrator, then click on the "Configuration" tab and then click on "Sensing Engine". In the left column, under the Alarm Channel Configuration header you will see "System Variables". It is within this area that you can define what is internal and external to your sensor, as well as define your DMZ's and any other subnets that you may desire.

0 Helpful
Customers Also Viewed These Support Documents