using snort to detect shutdown, thanks!

NBA2009 · 09-01-2008, 08:10 AM

I have installed a snort system under linux.

Now i need to write a rule to detect a "shutdown" command which came from remote telnet, also alert and log it.

what i wrote is like this:

alert tcp any any -> 192.168.115.130/24 (content: "shutdown"; msg: "someone shut down!!"

but when i used another computer to telnet my system and send a "shutdown" command, the snort system cannot detect any "shutdown" command using this rule. However, if i change the keyword in content from "shutdown" to "root" and try a "root" command from remote telnet, then the "root" command can be detected. I don't know why.

I really need help about how to write this rule to alert some information if there are attempts to shut down my system using telnet remotely.

Thanks in advance!!

Wakil · 09-01-2008, 08:23 AM

erm, haven't used snort before so i'm blank there except if i won't trouble you could i ask why would you want to log a report of shutting down your system? i mean unles if it is a server and if so you could give that rule to a sys admn only or maybe you've got some memebers who would want to shutdown your system?.
thnx

NBA2009 · 09-01-2008, 08:42 AM

Quote:

Originally Posted by Wakil

erm, haven't used snort before so i'm blank there except if i won't trouble you could i ask why would you want to log a report of shutting down your system? i mean unles if it is a server and if so you could give that rule to a sys admn only or maybe you've got some memebers who would want to shutdown your system?.
thnx

thanks
if someone is not system member and he may connect to the system and send a shutdown command? anyway, i have to write the rule as my group memeber asked me to do this task...

arizonagroovejet · 09-01-2008, 09:37 AM

Quote:

Originally Posted by NBA2009

thanks
if someone is not system member and he may connect to the system and send a shutdown command?

Well I don't know what you mean by 'system member' but by default only root can issue the shutdown command from the command line (i.e. from a telnet session (which they probabyl shouldn't be using anyway for security reasons - use ssh instead)). Since the root password should be closely guarded and only known to systems administrators who actually need it, then you should have no need to worry about logging if someone shutdown the system. If your system is set up so that anyone can issue the shutdown command then that seems rather unwise and you should change the configuration.

NBA2009 · 09-01-2008, 11:27 AM

Quote:

Originally Posted by arizonagroovejet

Well I don't know what you mean by 'system member' but by default only root can issue the shutdown command from the command line (i.e. from a telnet session (which they probabyl shouldn't be using anyway for security reasons - use ssh instead)). Since the root password should be closely guarded and only known to systems administrators who actually need it, then you should have no need to worry about logging if someone shutdown the system. If your system is set up so that anyone can issue the shutdown command then that seems rather unwise and you should change the configuration.

hi, man, that is not important.. my group member asked me to do so then i must do that, no matter it is reasonable or very useful. Thanks