Problems Tuning GPL SNMP Public Access UDP
3,018 views
Skip to first unread message
mmfirm...@gmail.com
May 8, 2015, 8:58:34 AM5/8/15
to securit...@googlegroups.com
I followed the steps to tune the "GPL SNMP Public Access UDP" which seems to be problematic in general as it's the topic in the alerts FAQ.
What's interesting is an IP I listed in the var OVERACTIVE variable still generates these alerts when their originate from a different source IP. This is interesting behavior as I assumed putting the non-existent IP in the newly created rule would eliminate it altogether in the new rule.
I realize and have notified operations that this may represent a misconfiguration situations.
Is there any way to tune the threshold?
Thanks to everyone and especially Doug for the most awesome NSM machine ever created!
What's interesting is an IP I listed in the var OVERACTIVE variable still generates these alerts when their originate from a different source IP. This is interesting behavior as I assumed putting the non-existent IP in the newly created rule would eliminate it altogether in the new rule.
I realize and have notified operations that this may represent a misconfiguration situations.
Is there any way to tune the threshold?
Thanks to everyone and especially Doug for the most awesome NSM machine ever created!
Kevin Branch
May 8, 2015, 11:33:37 AM5/8/15
to securit...@googlegroups.com
Did you define $OVERACTIVE in the appropriate snort/suricate config file and then add a line into modifysid.conf to change the target IP from "any" to "!$OVERACTIVE", followed by running rule-update? Â
When you examine the end result of pulledpork applying modifysid.conf to your ruleset (/etc/nsm/rules/downloaded.rules), do you see your "GPL SNMP Public Access UDP" having actually been changed?
Are you quite sure that the problem alerts you saw after your initial rule tuning, actually were triggered after you ran rule-update rather than before?
If you sill haven't solved this issue, please show us what you put in modifysid.conf and what specific snort or suricata config file changed (specific path please) as well as what you added to that file (OVERACTIVE definition I presume).
Kevin
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
mmfirm...@gmail.com
May 11, 2015, 8:44:53 AM5/11/15
to securit...@googlegroups.com
I followed this FAQ:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts
And I did the procedure to retire the old rule altogether and put in a new rule. I guess within the instructions I am looking for the filter (reg-ex?) to essentially tell it disregard all GPL SNMP alerts to the IP in question.
I am sort of on the fence about this as it it maybe kicking them out becuase of a configuration.
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts
And I did the procedure to retire the old rule altogether and put in a new rule. I guess within the instructions I am looking for the filter (reg-ex?) to essentially tell it disregard all GPL SNMP alerts to the IP in question.
I am sort of on the fence about this as it it maybe kicking them out becuase of a configuration.
Kevin Branch
May 11, 2015, 9:02:33 AM5/11/15
to securit...@googlegroups.com
If after running rule-update, the output from
does not have a # at the beginning of the rule you were trying to retire, then you have a problem in /etc/nsm/pulledpork/disablesid.conf.  grep -i "SNMP public access udp" /etc/nsm/rules/downloaded.rules
To disable the specific rule you mentioned, you should put this one liner in that file:
or use this line to get the udp and tcp version of that rule1:2101411
If you need more help, report whether or not the old rule is confirmed to be disabled, and then share what your replacement rule looks like. Âpcre:SNMP public access
Kevin
mmfirm...@gmail.com
May 12, 2015, 12:27:08 PM5/12/15
to securit...@googlegroups.com
I have multiple sensors does this need to be done on each sensor?
On Monday, May 11, 2015 at 9:02:33 AM UTC-4, Kevin Branch wrote:
> If after running rule-update, the output from
>
>  grep -i "SNMP public access udp" /etc/nsm/rules/downloaded.rulesdoes not have a # at the beginning of the rule you were trying to retire, then you have a problem in /etc/nsm/pulledpork/disablesid.conf. Â
On Monday, May 11, 2015 at 9:02:33 AM UTC-4, Kevin Branch wrote:
> If after running rule-update, the output from
>
Kevin Branch
May 12, 2015, 1:25:21 PM5/12/15
to securit...@googlegroups.com
I haven't yet done a distributed deployment but I believe that by default, rule downloading and processing with PulledPork is all done at the SO server level rather than separately on each sensor.
Kevin
mmfirm...@gmail.com
May 13, 2015, 10:38:08 AM5/13/15
to securit...@googlegroups.com
I checked the sensors, and noticed that while it was disabled on the SO server, it was not on the Sensors, so I manually disabled it on the sensors (3).
In larger deployments I remember there was a tool which automatically manages large numbers of sensors.
In larger deployments I remember there was a tool which automatically manages large numbers of sensors.
Doug Burks
May 13, 2015, 8:38:40 PM5/13/15
to securit...@googlegroups.com
You shouldn't have to manually disable rules on sensors as sensors
should copy the ruleset from the master server. If you're running the
traditional rule-update mechanism, sensors will copy the ruleset from
the master daily at 7:06 AM UTC. If you're running salt, then sensors
copy the ruleset from the master server every 15 minutes.
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
should copy the ruleset from the master server. If you're running the
traditional rule-update mechanism, sensors will copy the ruleset from
the master daily at 7:06 AM UTC. If you're running salt, then sensors
copy the ruleset from the master server every 15 minutes.
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
mmfirm...@gmail.com
May 14, 2015, 9:12:46 AM5/14/15
to securit...@googlegroups.com
That's interesting, because for some reason it didn't.
On Wednesday, May 13, 2015 at 8:38:40 PM UTC-4, Doug Burks wrote:
> You shouldn't have to manually disable rules on sensors as sensors
> should copy the ruleset from the master server. If you're running the
> traditional rule-update mechanism, sensors will copy the ruleset from
> the master daily at 7:06 AM UTC. If you're running salt, then sensors
> copy the ruleset from the master server every 15 minutes.
>
On Wednesday, May 13, 2015 at 8:38:40 PM UTC-4, Doug Burks wrote:
> You shouldn't have to manually disable rules on sensors as sensors
> should copy the ruleset from the master server. If you're running the
> traditional rule-update mechanism, sensors will copy the ruleset from
> the master daily at 7:06 AM UTC. If you're running salt, then sensors
> copy the ruleset from the master server every 15 minutes.
>
Doug Burks
May 14, 2015, 6:53:30 PM5/14/15
to securit...@googlegroups.com
Are your sensors running salt or the traditional rule-update mechanism?
What is the output of the following command on your sensors?
grep LOCAL_NIDS_RULE_TUNING /etc/nsm/securityonion.conf
What is the output of the following command on your sensors?
grep LOCAL_NIDS_RULE_TUNING /etc/nsm/securityonion.conf
mmfirm...@gmail.com
May 15, 2015, 9:04:37 AM5/15/15
to securit...@googlegroups.com
Here you go, it's attached.
Is it worth while to setup salt for three sensors? If so, is there an FAQ?
Thanks Doug!
On Thursday, May 14, 2015 at 6:53:30 PM UTC-4, Doug Burks wrote:
> Are your sensors running salt or the traditional rule-update mechanism?
>
> What is the output of the following command on your sensors?
> grep LOCAL_NIDS_RULE_TUNING /etc/nsm/securityonion.conf
>
Is it worth while to setup salt for three sensors? If so, is there an FAQ?
Thanks Doug!
On Thursday, May 14, 2015 at 6:53:30 PM UTC-4, Doug Burks wrote:
> Are your sensors running salt or the traditional rule-update mechanism?
>
> What is the output of the following command on your sensors?
> grep LOCAL_NIDS_RULE_TUNING /etc/nsm/securityonion.conf
>
Doug Burks
May 15, 2015, 5:28:21 PM5/15/15
to securit...@googlegroups.com
Replies inline.
Is that screenshot from a sensor?
Is that screenshot the whole output? Just 5 lines and all 5 lines
commented out?
Try editing /etc/nsm/securityonion.conf on the sensor and adding a
line like the following (without the comment mark):
LOCAL_NIDS_RULE_TUNING=no
Then run "sudo rule-update" on the sensor and see if it copies the
rules from the server to the sensor. If not, please send all output
from the command (redacting sensitive info as necessary).
> Is it worth while to setup salt for three sensors? If so, is there an FAQ?
Please see:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Salt#salting-an-existing-deployment
Is that screenshot from a sensor?
Is that screenshot the whole output? Just 5 lines and all 5 lines
commented out?
Try editing /etc/nsm/securityonion.conf on the sensor and adding a
line like the following (without the comment mark):
LOCAL_NIDS_RULE_TUNING=no
Then run "sudo rule-update" on the sensor and see if it copies the
rules from the server to the sensor. If not, please send all output
from the command (redacting sensitive info as necessary).
> Is it worth while to setup salt for three sensors? If so, is there an FAQ?
https://github.com/Security-Onion-Solutions/security-onion/wiki/Salt#salting-an-existing-deployment
Reply all
Reply to author
Forward
0 new messages