[Snort-users] Fine tuning Snort
James Lay
So I'm needing to fine tune snort a bit. I get a high amount of FP's on
things like:
Emails with .jpg's:
[1:12798:3] SHELLCODE base64 x86 NOOP [**] [Classification: Executable
Code was Detected]
exe downloads from Windows Updates:
[1:15306:4] WEB-CLIENT Portable Executable binary file transfer
[1:2000419:12] ET POLICY PE EXE or DLL Windows file download
I'd rather not just comment out these rules....what are other folks doing
to minimize FP's? Thank you.
James
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
Spend less time writing and rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
waldo kitty
> Hello All.
>
> So I'm needing to fine tune snort a bit. I get a high amount of FP's on
> things like:
>
> Emails with .jpg's:
> [1:12798:3] SHELLCODE base64 x86 NOOP [**] [Classification: Executable
> Code was Detected]
>
> exe downloads from Windows Updates:
> [1:15306:4] WEB-CLIENT Portable Executable binary file transfer
> [1:2000419:12] ET POLICY PE EXE or DLL Windows file download
>
> I'd rather not just comment out these rules....what are other folks doing
> to minimize FP's? Thank you.
use the threshold file, luke... use the threshold file ;)
here's a working *sample* threshold.conf...
# this file is used to set threshold levels on or to
# completely suppress a gid:sid without modifying the
# actual rules themselves.
# see README.filter for details
#
# DNS Spoof stuff from google's public dns servers
suppress gen_id 1, sig_id 254, track by_src, ip 8.8.4.4
suppress gen_id 1, sig_id 254, track by_src, ip 8.8.8.8
# Consecutive TCP small segments exceeding threshold
# from irc.oftc.net systems - ping, are you there?
suppress gen_id 129, sig_id 12, track by_src, ip 12.31.165.82
suppress gen_id 129, sig_id 12, track by_src, ip 64.62.190.36
suppress gen_id 129, sig_id 12, track by_src, ip 66.184.117.12
suppress gen_id 129, sig_id 12, track by_src, ip 72.32.146.136
suppress gen_id 129, sig_id 12, track by_src, ip 140.211.166.64
suppress gen_id 129, sig_id 12, track by_src, ip 206.12.19.242
suppress gen_id 129, sig_id 12, track by_src, ip 207.192.72.99
# Suppress http_inspect LONG HEADER
suppress gen_id 119, sig_id 19
# Suppress TCP Timestamp is outside of PAWS window
suppress gen_id 129, sig_id 3
# Suppress TCP Timestamp is outside of PAWS window
suppress gen_id 129, sig_id 4
# Suppress Bad segment, adjusted size <= 0
suppress gen_id 129, sig_id 5
# Suppress Limit on number of overlapping TCP packets reached
suppress gen_id 129, sig_id 7
# Suppress Consecutive TCP small segments exceeding threshold
suppress gen_id 129, sig_id 12
# Suppress SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)
suppress gen_id 138, sig_id 4
# Suppress SENSITIVE-DATA Email Addresses
suppress gen_id 138, sig_id 5
# Suppress SENSITIVE-DATA SDF_COMBO_ALERT
suppress gen_id 139, sig_id 1
James Lay
It's been quite interesting...I have at least four rules that look for
executables...and as I look at the threshold file I can only threshold
against one IP at a time...meaning I've got a lot of work to do as I have
to add pretty much most of google and windowsupdate.com ;) Even thought
I'm tempted to simply start snort to not monitor those netblocks, eh...I'd
rather do the right thing.
Thanks again for the help.
James
On 10/7/10 10:23 PM, "waldo kitty" <wkit...@windstream.net> wrote:
>On 10/7/2010 14:02, James Lay wrote:
>> Kevin and Waldo, you gents are treasuresŠI will get to work and report
>>my
>> resultsŠthank you much!
>
>something else to thing about concerning rules that you would just
>totally
>suppress in threshold.conf... if they are completely suppressed then you
>might
>as well comment them out of the rules set so they do not consume any
>memory and
>snort won't waste any time loading them just to be ignoring them... but i
>guess
>this also depends on your tools and management systems... some may use
>only
>threshold to "disable" rules where others may actually comment them in
>the rules
>sets files... personally, i think the threshold file is best to suppress
>certain
>rules for certain IPs... total suppression is the same as disabled so...
>;)
>
>--------------------------------------------------------------------------
Josh Little
> Kevin and Waldo, you gents are treasures…I will get to work and report
> my results…thank you much!
>
> james
>
> From: Kevin Ross <kevr...@googlemail.com
> <mailto:kevr...@googlemail.com>>
> Date: Thu, 7 Oct 2010 17:55:43 +0100
> To: James Lay <jl...@slave-tothe-box.net
> <mailto:jl...@slave-tothe-box.net>>, Snort
> <snort...@lists.sourceforge.net
> <mailto:snort...@lists.sourceforge.net>>
> Subject: Re: [Snort-users] Fine tuning Snort
>
> Well what you can do is:
>
> - Use threshold.conf to supress alerts entirely from certain sources
> or destinations and limit the amount of alerts it will fire too. Read
> the examples in threshold.conf and put them in your enviroment. If
> there is specific sources and destinations you can filter this way
>
> - Use oinkmaster or pulled pork to disable and enable rules from VRT
> and emergingthreats.net <http://emergingthreats.net> that you need.
> Just start by not including rules files for things you do not have and
> then go through the rules files taking down the sids to disable and
> then have oinkmaster or pulled pork scheduled by cron to run an update.
>
I have a small tool written in Perl called Pigsty that will automate
finding any sigs in your enabled ruleset that match a pattern. The tool
will output a list of disablesid lines that you can then drop into your
oinkmaster.conf file or have the tool directly append the file. This
makes cleaning up your current rules much easier. You could probably
modify the oinkmaster perl script to run Pigsty just after the latests
sigs are downloaded and before the routine for commenting out disabled
sids completes.
Find it at http://zombietango.com/blog/tools/
ZT
James Lay
apparently means needing glasses....thanks Joel.
James
> The best examples for suppressions are in the threshold.conf file.
>
> J
>
> On Oct 8, 2010, at 8:47 AM, James Lay wrote:
>
>> What the….I looked all through the snort pdf too and since I didn't see
>> an example showing that I uh…well assumed…..heh..you've saved me a BUNCH
>> of time..thanks Scott.
>>
>> Jam
>>
>> From: ScottO <skip...@gmail.com>
>> Date: Fri, 8 Oct 2010 08:31:57 -0400
>> To: James Lay <jl...@slave-tothe-box.net>
>> Cc: Snort <snort...@lists.sourceforge.net>
>> Subject: Re: [Snort-users] Fine tuning Snort
>>
>> James,
>>
>> You can specify cidr notation for address blocks in threshold.conf,
>> something like:
>>
>> suppress gen_id 1, sig_id 11111, track by_src, ip 10.1.2.0/24
>>
>> Hope that helps,
>>
>> scott
>>
>> On Fri, Oct 8, 2010 at 8:24 AM, James Lay <jl...@slave-tothe-box.net>
>> wrote:
>>> Thanks Waldo,
>>>
>>> It's been quite interesting...I have at least four rules that look for
>>> executables...and as I look at the threshold file I can only threshold
>>> against one IP at a time...meaning I've got a lot of work to do as I
>>> have
>>> to add pretty much most of google and windowsupdate.com ;) Even
>>> thought
>>> I'm tempted to simply start snort to not monitor those netblocks,
>>> eh...I'd
>>> rather do the right thing.
>>>
>>> Thanks again for the help.
>>>
>>> James
>>>
>>>
>>> On 10/7/10 10:23 PM, "waldo kitty" <wkit...@windstream.net> wrote:
>>>
>>> >On 10/7/2010 14:02, James Lay wrote:
>>> >> Kevin and Waldo, you gents are treasuresŠI will get to work and
>>> report
>>> >>my
>>> >> resultsŠthank you much!
>>> >
>>> >something else to thing about concerning rules that you would just
>>> >totally
>>> >suppress in threshold.conf... if they are completely suppressed then
>>> you
>>> >might
>>> >as well comment them out of the rules set so they do not consume any
>>> >memory and
>>> >snort won't waste any time loading them just to be ignoring them...
>>> but i
>>> >guess
>>> >this also depends on your tools and management systems... some may use
>>> >only
>>> >threshold to "disable" rules where others may actually comment them in
>>> >the rules
>>> >sets files... personally, i think the threshold file is best to
>>> suppress
>>> >certain
>>> >rules for certain IPs... total suppression is the same as disabled
>>> so...
>>> >;)
>>> >
>>> >--------------------------------------------------------------------------
>>> >----
James Lay
James
> On 10/7/2010 2:02 PM, James Lay wrote:
>> Kevin and Waldo, you gents are treasures…I will get to work and report
>> my results…thank you much!
>>
>> james
>>
>> From: Kevin Ross <kevr...@googlemail.com
>> <mailto:kevr...@googlemail.com>>
>> Date: Thu, 7 Oct 2010 17:55:43 +0100
>> To: James Lay <jl...@slave-tothe-box.net
>> <mailto:jl...@slave-tothe-box.net>>, Snort
>> <snort...@lists.sourceforge.net
>> <mailto:snort...@lists.sourceforge.net>>
>> Subject: Re: [Snort-users] Fine tuning Snort
>>
>> Well what you can do is:
>>
>> - Use threshold.conf to supress alerts entirely from certain sources
>> or destinations and limit the amount of alerts it will fire too. Read
>> the examples in threshold.conf and put them in your enviroment. If
>> there is specific sources and destinations you can filter this way
>>
>> - Use oinkmaster or pulled pork to disable and enable rules from VRT
>> and emergingthreats.net <http://emergingthreats.net> that you need.
>> Just start by not including rules files for things you do not have and
>> then go through the rules files taking down the sids to disable and
>> then have oinkmaster or pulled pork scheduled by cron to run an update.
>>
>
> I have a small tool written in Perl called Pigsty that will automate
> finding any sigs in your enabled ruleset that match a pattern. The tool
> will output a list of disablesid lines that you can then drop into your
> oinkmaster.conf file or have the tool directly append the file. This
> makes cleaning up your current rules much easier. You could probably
> modify the oinkmaster perl script to run Pigsty just after the latests
> sigs are downloaded and before the routine for commenting out disabled
> sids completes.
>
> Find it at http://zombietango.com/blog/tools/
>
> ZT
>
Jefferson, Shawn
waldo kitty
> Thanks Waldo,
>
> It's been quite interesting...I have at least four rules that look for
> executables...and as I look at the threshold file I can only threshold
> against one IP at a time...meaning I've got a lot of work to do as I have
> to add pretty much most of google and windowsupdate.com ;)
you should be able to use CIDRs for blocks of IPs... you can also put them
together on one line... i was not sure which way to do this would be the best so
i asked in here (i think) a week or so back... the basic consensus was one IP
per line is easier to manage... you only have to comment out or delete that one
line when it is no longer needed and adding one is as simple as copying an
existing one and changing the IP...
> Even thought I'm tempted to simply start snort to not monitor those
> netblocks, eh...I'd rather do the right thing.
i know that feeling... it is like accepting DNS data from an external DNS server
but do you really want to accept and trust ALL traffic from that server? not
especially if it starting coming from that server without being requested first
;) so a threshold suppressing some DNS related GIDs/SIDs for that server's IP
comes in handy and allows you to not get overrun by that stuff but still be able
to monitor for other stuff from the same IP...
James Lay
time...I hope it's not too much of a hassle ;)
James
On 10/8/10 10:02 AM, "Jefferson, Shawn" <Shawn.J...@bcferries.com>
wrote:
>PulledPork has this functionality built in.. you can disable rules based
>on a PCRE. I don't run McAfee VirusScan for instance, so I can disable
>all current and all future rules for it. Also, it's currently being
>developed, unlike Oinkmaster.
>
>
>-----Original Message-----
>From: Josh Little [mailto:jo...@zombietango.com]
>Sent: Friday, October 08, 2010 6:09 AM
>To: snort...@lists.sourceforge.net
>Subject: Re: [Snort-users] Fine tuning Snort
>
>I have a small tool written in Perl called Pigsty that will automate
>finding any sigs in your enabled ruleset that match a pattern. The tool
>will output a list of disablesid lines that you can then drop into your
>oinkmaster.conf file or have the tool directly append the file. This
>makes cleaning up your current rules much easier. You could probably
>modify the oinkmaster perl script to run Pigsty just after the latests
>sigs are downloaded and before the routine for commenting out disabled
>sids completes.
>
>Find it at http://zombietango.com/blog/tools/
>
>ZT
>
>
>--------------------------------------------------------------------------
>----