RULE [1:2013409:3] (ET POLICY Outbound MSSQL Connection ) triggering alerts for internal networks (not outbound traffic).
329 views
Skip to first unread message
adrianmur
Feb 28, 2017, 5:57:09 PM2/28/17
to security-onion
Hello,
This rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013409; rev:3;)
Is triggering a lot of alerts, and when I check it on ELSA, all are for networks already defined in $HOME_NET.
Example of alert:
host=127.0.0.1 program=snort class=SNORT sig_priority=2 proto=TCP srcip=192.168.112.5 srcport=3212 dstip=192.168.114.5 dstport=30100 sig_sid=1:2013409:3 sig_msg=ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware sig_classification=Potentially Bad Traffic interface=
Any idea why is this happening, it is currently the top rule and not sure how to tune it.
This rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013409; rev:3;)
Is triggering a lot of alerts, and when I check it on ELSA, all are for networks already defined in $HOME_NET.
Example of alert:
host=127.0.0.1 program=snort class=SNORT sig_priority=2 proto=TCP srcip=192.168.112.5 srcport=3212 dstip=192.168.114.5 dstport=30100 sig_sid=1:2013409:3 sig_msg=ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware sig_classification=Potentially Bad Traffic interface=
Any idea why is this happening, it is currently the top rule and not sure how to tune it.
Wes Lambert
Feb 28, 2017, 6:01:19 PM2/28/17
to securit...@googlegroups.com
What is EXTERNAL_NET set to in snort.conf/suricata.yaml?
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
adrianmur
Mar 1, 2017, 3:12:40 PM3/1/17
to security-onion
On Tuesday, February 28, 2017 at 5:01:19 PM UTC-6, Wes wrote:
> What is EXTERNAL_NET set to in snort.conf/suricata.yaml?
>
>
> Thanks,
> Wes
>
>
> On Feb 28, 2017 5:57 PM, "adrianmur" <adri...@gmail.com> wrote:
> Hello,
>
>
>
> This rule:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013409; rev:3;)
>
>
>
>
>
> Is triggering a lot of alerts, and when I check it on ELSA, all are for networks already defined in $HOME_NET.
>
>
>
> Example of alert:
>
> host=127.0.0.1 program=snort class=SNORT sig_priority=2 proto=TCP srcip=192.168.112.5 srcport=3212 dstip=192.168.114.5 dstport=30100 sig_sid=1:2013409:3 sig_msg=ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware sig_classification=Potentially Bad Traffic interface=
>
>
>
>
>
> Any idea why is this happening, it is currently the top rule and not sure how to tune it.
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.> What is EXTERNAL_NET set to in snort.conf/suricata.yaml?
>
>
> Thanks,
> Wes
>
>
> On Feb 28, 2017 5:57 PM, "adrianmur" <adri...@gmail.com> wrote:
> Hello,
>
>
>
> This rule:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013409; rev:3;)
>
>
>
>
>
> Is triggering a lot of alerts, and when I check it on ELSA, all are for networks already defined in $HOME_NET.
>
>
>
> Example of alert:
>
> host=127.0.0.1 program=snort class=SNORT sig_priority=2 proto=TCP srcip=192.168.112.5 srcport=3212 dstip=192.168.114.5 dstport=30100 sig_sid=1:2013409:3 sig_msg=ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware sig_classification=Potentially Bad Traffic interface=
>
>
>
>
>
> Any idea why is this happening, it is currently the top rule and not sure how to tune it.
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
This is the configuration: ipvar EXTERNAL_NET any
and home net has 192.168.0.0/16
Wes Lambert
Mar 1, 2017, 4:10:11 PM3/1/17
to securit...@googlegroups.com
It's likely still triggering because EXTERNAL_NET is set to any, so any traffic matching the content match in the rule and not going to port 1433 will be alerted on, regardless of the address.
Thanks,
Wes
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Trickstar
Mar 2, 2017, 8:23:24 PM3/2/17
to security-onion
You can add !$HOME_NET on your suricata.yaml since External networks are not meant to be your home network, this would reduce a lot of false positives on your ids
Wes
Mar 2, 2017, 8:34:57 PM3/2/17
to security-onion
On Thursday, March 2, 2017 at 8:23:24 PM UTC-5, Trickstar wrote:
> You can add !$HOME_NET on your suricata.yaml since External networks are not meant to be your home network, this would reduce a lot of false positives on your ids
> You can add !$HOME_NET on your suricata.yaml since External networks are not meant to be your home network, this would reduce a lot of false positives on your ids
As Joel has mentioned here:
http://seclists.org/snort/2013/q1/89
...if you set EXTERNAL_NET equal to !$HOME_NET on a sensor monitoring only internal traffic, you may miss out on certain (bad) traffic between hosts.
Otherwise, for a sensor monitoring gateway(ish) traffic and vice versa, Trickstar's suggestion should be fine.
Thanks,
Wes
Reply all
Reply to author
Forward
0 new messages