Question about Snort False positive

124 views
Skip to first unread message

FRANCIS PROVENCHER

unread,
Jun 6, 2007, 2:59:19 PM6/6/07
to ossec...@ossec.net
Hi all, im new in the Ossec World.

My Ossec installation watch for NIDS (Snort) log alert's in the /var/log/message/.

I'v install the Web interface for Ossec..all work great! Except, when i make an F5 (or when the web interface reload by itself) to the Web interface to see if alerts was added, snort interpret it, like an "attack". I always received this error;

2007 Jun 06 15:16:39 Rule Id: 20101 level: 6
Location: (************) 10.*.*.6->/var/log/messages
IDS event.

Jun 6 15:16:38 ******** snort[11669]: [1:882:5] WEB-CGI calendar access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 10.*.*.2:34282 -> 10.*.*.6:80

How i can stop to log this false positive?

Sorry if the question have been ask before, i'v google some time but found nothing about it.

Thanks all

Francis Provencher
Ministère de la Sécurité publique du Québec
Direction des technologies de l'information
Division de la sécurité informatique
Tél: 1 418 646-3258
Courriel: Francis.p...@Msp.gouv.qc.ca

CEH - Certified Ethical Hackers
SSCP - System Security Certified Practitionner
Sec+ - Security +

David Williams

unread,
Jun 6, 2007, 4:33:12 PM6/6/07
to ossec...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Francis,
There was a very similar question recently on the list. Tom Le
replied with this (6/3/2007 6:43pm):

"Since these prot scan alerts are from the Snort sfportscan
preprocessor, your best option is tune out false positives from your
IDS. Tuning at the log analysis layer works, of course, but general
rule is to always move your tuning as far upstream as possible.

In this case, modify the "ignore_scanners" option in your snort.conf
and tune out known source IP's that are legitimately scanning your
network."

That made tremendous sense to me and to the person who posed the
question initially. As a follow up, Daniel Cid (6/4/2007 7:50PM)
pointed folks to his recent talk at AUSCert
(http://www.ossec.net/wiki/index.php/Know_How:CorrelateSnort) and
provided this explanation and great improvment on a solution I
proposed to the initial questioner:

"When ossec parses a log, it will break down the message into
multiple fields:

time -> Jun 3 15:34:33
hostname -> saratoga.denmantire.com
program_name -> snort
log -> [122:3:0] (portscan) TCP Portsweep {PROTO255} 192.168.0.150 ->
192.168.1.80

After the decoding (decoders.xml), you will also have:

srcip -> 192.168.0.150
id -> 122:3:0

And may have dstip, srcport, etc...

When you write a rule, you need to remember that the "regex" and
"match" tag
only look at the log option, which from your logs would only start at
"[122:3:0 ..".

To look at the other parts of the message, you need to use
"program_name" (as
David mentioned) or "hostname", etc.

I think that the best way to have your rule would be to look at the
snort id (122:),
instead of looking at the whole message for "portscan".

<rule id="1002020" level="0">
<if_sid>20151</if_sid>
<program_name>^snort</program_name>
<srcip>X.X.X.X</srcip>
<id>^122:</id>
<description>Portsweep from whatsup. It's OK.</description>
</rule>

"

I hope Tom and Daniel don't mind me passing that along.
-David

- --
_______________________________________________
GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGZxoICzuSgviBh00RAi6rAJ9vwVfUM8F+hW0WU5YAI6VIddZ0KACdEktI
3Lm1HdnyjtTePDU8zKtcP2Q=
=1Ym0
-----END PGP SIGNATURE-----

Tim Slighter

unread,
Jun 6, 2007, 4:40:32 PM6/6/07
to ossec...@googlegroups.com
Maybe create a custom rule identical to the rule shown but insert source or destination IP addresses as needed

Tom Le

unread,
Jun 6, 2007, 5:10:45 PM6/6/07
to ossec...@googlegroups.com
On 6/6/07, FRANCIS PROVENCHER <francis.p...@msp.gouv.qc.ca> wrote:
I'v install the Web interface for Ossec..all work great! Except,  when i make an F5 (or when the web interface reload by itself) to the Web interface to see if alerts was added, snort interpret it, like an "attack". I always received this error;

2007 Jun 06 15:16:39 Rule Id: 20101 level: 6
Location: (************) 10.*.*.6->/var/log/messages
IDS event.

     Jun 6 15:16:38 ******** snort[11669]: [1:882:5] WEB-CGI calendar access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 10.*.*.2:34282 -> 10.*.*.6:80

How i can stop to log this false positive?
 
This Snort signature is a very common false positive and my recommendation is to disable it.  It trigers on ANY uri with /calendar in it, such as any of these:
 
 
On a related note - I have been in process with releasing an updated Snort config which incorporates false positive reduction from a variety of sources including honeynet projects. 
 
The problem with Snort, or any other IDS for that matter, is that there are many false positives and significant tuning is required by each user.  But what we can do is take input from a variety of contributors and base on that tune out the most common false positives.  In some cases, we modify the Snort signatures itself or modify the threshold rather than disabling the signature.
 
I'll post info to this list when this project is ready for public release.  Anyone who wants to contribute Snort alert data, please contact me offlist.
 
Tom

Isaac Straley

unread,
Jun 6, 2007, 4:35:54 PM6/6/07
to ossec...@googlegroups.com
The best way would be to tune the rule in snort. However, if for some
reason that is not an option, you can add a rule to ignore in the
local_rules.xml file:

http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules

--

Isaac Straley
Manager, IT Security
Network and Academic Computing Services
University of California, Irvine
Office :: (949) 824-1471
Email :: str...@uci.edu

Reply all
Reply to author
Forward
0 new messages