snorby mass classification events and filtering out Snort alerts with disablesid.conf and threshold.conf

[Jason Youngquist]

Ok.

So I finally got Snorby up and running yesterday. Now the problem is I can't close the events by using the "perform mass classification" in Snorby. I'm running Firefox version 24.0. (I've used Snorby before, so I know how to close the events)

The other thing I'm seeing is I have disablesid.conf and threshold.conf files in /etc/nsm/pulledpork directory and I have the alert "ET POLICY Vulnerable Java Version 1.6.x Detected" supposedly disabled beacuse it is in the disablesid.conf file, but Snorby still is generating the alerts.

I've rebooted the box and still happening.

jryoungquist@ccids02:/etc/nsm/pulledpork$ ls
barnyard2.conf dropsid.conf enablesid.conf-bak pulledpork.conf
disablesid.conf dropsid.conf-bak modifysid.conf pulledpork.conf-bak
disablesid.conf-bak enablesid.conf modifysid.conf-bak threshold.conf
jryoungquist@ccids02:/etc/nsm/pulledpork$

jryoungquist@ccids02:/etc/nsm/pulledpork$ grep -A1 "1.6.x" disablesid.conf
# ET POLICY Vulnerable Java Version 1.6.x Detected
1:2011582
jryoungquist@ccids02:/etc/nsm/pulledpork$

jryoungquist@ccids02:/etc/nsm/pulledpork$ grep disablesid.conf pulledpork.conf
disablesid=/etc/nsm/pulledpork/disablesid.conf
jryoungquist@ccids02:/etc/nsm/pulledpork$

One final thing. I've changed the time on the server to central time and at one point I had Snorby showing the central time, but now it's showing GMT....GMT is ok, but would rather have central time.

jryoungquist@ccids02:/etc/nsm/pulledpork$ date
Thu Oct 31 13:32:43 CDT 2013
jryoungquist@ccids02:/etc/nsm/pulledpork$

Appreciate your help.

Thanks.
Jason Youngquist

[Doug Burks]

Hi Jason,

Replies inline.

On Thu, Oct 31, 2013 at 2:33 PM, Jason Youngquist <youn...@gmail.com> wrote:
> Ok.

Ok.

> So I finally got Snorby up and running yesterday. Now the problem is I can't close the events by using the "perform mass classification" in Snorby. I'm running Firefox version 24.0. (I've used Snorby before, so I know how to close the events)

Have you tried a different browser? Chrome/Chromium tend to be more
compatible with Snorby.

> The other thing I'm seeing is I have disablesid.conf and threshold.conf files in /etc/nsm/pulledpork directory and I have the alert "ET POLICY Vulnerable Java Version 1.6.x Detected" supposedly disabled beacuse it is in the disablesid.conf file, but Snorby still is generating the alerts.

That particular rule sets a flowbit
(flowbits:set,ET.http.javaclient.vulnerable) so PulledPork does the
correct thing and keeps it enabled:
https://code.google.com/p/security-onion/wiki/ManagingAlerts#Why_is_pulledpork_ignoring_disabled_rules_in_downloaded.rules

You can suppress the alert using threshold.conf.

<snip>

> One final thing. I've changed the time on the server to central time and at one point I had Snorby showing the central time, but now it's showing GMT....GMT is ok, but would rather have central time.

Please see the FAQ:
https://code.google.com/p/security-onion/wiki/FAQ#Why_does_Security_Onion_use_UTC?

[Doug Burks]

On Thu, Oct 31, 2013 at 2:40 PM, Doug Burks <doug....@gmail.com> wrote:
>> One final thing. I've changed the time on the server to central time and at one point I had Snorby showing the central time, but now it's showing GMT....GMT is ok, but would rather have central time.
>
> Please see the FAQ:
> https://code.google.com/p/security-onion/wiki/FAQ#Why_does_Security_Onion_use_UTC?

I should also mention that even though we require the OS time to be
set to UTC, each of the three main web interfaces (Snorby, Squert, and
ELSA) should allow you to render event timestamps in your local
timezone.


--
Doug Burks
http://securityonion.blogspot.com