Question about rules/snorby
440 views
Skip to first unread message
Tom
Jun 26, 2015, 6:37:49 AM6/26/15
to securit...@googlegroups.com
Hi,
I would just like some advice about how to handle various rules/alerts. The example starts with running the ET ruleset. All categories are disabled in the disablesid.conf, rules are turned on ad-hoc by adding the SID to enablesid.conf.
I decided I wanted to test a specific set of rules today, the rules were from the ET Trojan ruleset. After enabling the rule it has enabled a number of ET Policy rules too due to the flowbit being set.
The ET Policy rule that it has enabled is generating a lot of noise.
Obviously I can't disable the ET Policy rule, however in the first instance I don't want to see the ET Policy alerts in Snorby. In sguil I could use autocat but that won't help in Snorby. Any suggestions?
Tom
Shane Castle
Jun 26, 2015, 6:43:03 AM6/26/15
to securit...@googlegroups.com
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts#disable-the-sid
On 26.06.2015 12:37, Tom wrote:
> The ET Policy rule that it has enabled is generating a lot of noise.
>
> Obviously I can't disable the ET Policy rule, however in the first
> instance I don't want to see the ET Policy alerts in Snorby. In
> sguil I could use autocat but that won't help in Snorby. Any
> suggestions?
--
Mit besten Grüßen
Shane Castle
On 26.06.2015 12:37, Tom wrote:
> The ET Policy rule that it has enabled is generating a lot of noise.
>
> Obviously I can't disable the ET Policy rule, however in the first
> instance I don't want to see the ET Policy alerts in Snorby. In
> sguil I could use autocat but that won't help in Snorby. Any
> suggestions?
Mit besten Grüßen
Shane Castle
Tom
Jun 26, 2015, 6:53:51 AM6/26/15
to securit...@googlegroups.com
I've already read that, if I suppress the ET Policy rule won't it affect the ET Trojan rule where the flowbit is set?
Thanks
Tom
Shane Castle
Jun 26, 2015, 7:17:45 AM6/26/15
to securit...@googlegroups.com
I have found that you can disable rules that check flowbits with
impunity, but if a rule sets a flowbit and you disable it, you must also
disable all rules that check that flowbit or the rule will be re-enabled
by PulledPork. If you disable all rules that check a flowbit but the one
that sets it is still enabled you will see the message
Warning: flowbits key 'xxxx' is set but not ever checked
in your snortu-x log, where 'xxxx' is the flowbit in question.
Is it the rule that sets the flowbit that is noisy? Your post did not
make that clear.
If you could be explicit, and say exactly which rules are causing
issues, perhaps we might be able to give some better advice. The rule
might be written badly and need to be modified, for instance, in which
case the ET mailing lists might be a better resource (
https://lists.emergingthreats.net/mailman/listinfo )
impunity, but if a rule sets a flowbit and you disable it, you must also
disable all rules that check that flowbit or the rule will be re-enabled
by PulledPork. If you disable all rules that check a flowbit but the one
that sets it is still enabled you will see the message
Warning: flowbits key 'xxxx' is set but not ever checked
in your snortu-x log, where 'xxxx' is the flowbit in question.
Is it the rule that sets the flowbit that is noisy? Your post did not
make that clear.
If you could be explicit, and say exactly which rules are causing
issues, perhaps we might be able to give some better advice. The rule
might be written badly and need to be modified, for instance, in which
case the ET mailing lists might be a better resource (
https://lists.emergingthreats.net/mailman/listinfo )
Tom
Jun 26, 2015, 7:28:52 AM6/26/15
to securit...@googlegroups.com
The rule that I had enabled was SID 2019896 which has flowbits:isset,ET.ELFDownload.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Linux.Turla Download"; flow:from_server,established; flowbits:isset,ET.ELFDownload; content:"__we_are_happy__"; content:"__TREX__STOP__STRING__"; distance:0; content:"/dev/random"; distance:1; within:11; reference:url,securelist.com/blog/research/67962/the-penquin-turla-2/; reference:md5,19fbd8cbfb12482e8020a887d6427315; classtype:trojan-activity; sid:2019896; rev:2;)
The rule that is noisy is 2000418 which is enabled due to the above.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download"; flow:established; flowbits:isnotset,ET.ELFDownload; content:"|7F|ELF"; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:0; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2000418; rev:15;)
Doug Burks
Jun 26, 2015, 7:34:28 AM6/26/15
to securit...@googlegroups.com
Hi Tom,
You should be able to suppress 2000418 and it should still set the
flowbit needed by 2019896, it just won't generate alerts.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
You should be able to suppress 2000418 and it should still set the
flowbit needed by 2019896, it just won't generate alerts.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Tom
Jun 26, 2015, 8:58:25 AM6/26/15
to securit...@googlegroups.com
> Hi Tom,
>
> You should be able to suppress 2000418 and it should still set the
> flowbit needed by 2019896, it just won't generate alerts.
>
>
> You should be able to suppress 2000418 and it should still set the
> flowbit needed by 2019896, it just won't generate alerts.
>
Hi Doug,
That's great, thank you for confirming that.
Reply all
Reply to author
Forward
0 new messages