Excluding Windows Updates from EXE alerts in Snort
Jeff
I am using the ET rules and want to alert on EXE downloads (sid 2000419 among others). I want to exclude Windows Update downloads from this alert, but some of the computers don't use WSUS and are going to the internet for Windows Updates, so I can't exclude an IP.
I tried modifying a few of the ET rules and adding flowbits, but this doesn't seem to have worked. I don't have much experience writing my own rules, so any help would be appreciated.
Below are the rules I created/modified and added to my local.rules (and then ran rule-update). After doing so I am still getting alerts for sid 3000001 when running Windows Updates.
Additionally, if anyone has solved this problem in another way, I'm open to other solutions.
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MODIFIED ET POLICY Windows Update in Progress 01"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a|"; http_header; nocase; within:20; pcre:"/User-Agent\x3a[^\n]+Windows-Update-Agent/i"; flowbits:set,winupdate; flowbits:noalert; classtype:policy-violation; sid:3000000; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MODIFIED ET POLICY PE EXE or DLL Windows file download"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isnotset, winupdate; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:3000001; rev:1;)
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"STP MODIFIED ET POLICY Windows Update in Progress 02"; flow:established,to_server; content:"windowsupdate.com"; http_header; content:"windowsupdate.com"; http_uri; flowbits:set,winupdate; flowbits:noalert; classtype:policy-violation; sid:3000002; rev:1;)
Doug Burks
Have you considered using the ELSA query named "HTTP: Sites hosting EXEs"?
http://blog.securityonion.net/2014/01/new-securityonion-web-page-package.html
This may allow you to disable some of these IDS alerts altogether.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
otakar klier
I think a lot of people are going to be running into this problem especially when they are in an environment where they have to categorize all alerts.
Is there a way to filter out or auto-catagorize based on a URL such as *.windowsupdate.com? This way we wont get these alerts but still get pcaps.
Please advise,
Doug Burks
If you disable or suppress the IDS alerts shown in Jeff's email,
you'll still get results in the ELSA query named "HTTP: Sites hosting
EXEs" and you'll still be able to pivot from there to pcaps if
necessary (or just pivot to the EXE itself in /nsm/bro/extracted if
you EXE extraction during Setup).
otakar klier
Create 3 new rules, in Jeff's post, in local.rules and run rule-update
Suppress the rules using the procedure at https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts
This will still alert in Squil for any EXE or DLL downloads and exclude anything from *.windowsupdates.com, correct?
Regards,
Doug Burks
working correctly, so I proposed an alternative of using ELSA "HTTP:
Sites hosting
EXEs" query. This query doesn't rely on IDS alerts at all, so it
doesn't require his 3 new rules and may also allow you disable or
suppress some of the original IDS alerts for EXEs mentioned in the
beginning of Jeff's email "(sid 2000419 among others)".
Jeff
Jeff
On Tuesday, July 14, 2015 at 3:15:43 AM UTC-7, Doug Burks wrote:
> I think Jeff was saying that the 3 new rules in his post weren't
> working correctly, so I proposed an alternative of using ELSA "HTTP:
> Sites hosting
> EXEs" query. This query doesn't rely on IDS alerts at all, so it
> doesn't require his 3 new rules and may also allow you disable or
> suppress some of the original IDS alerts for EXEs mentioned in the
> beginning of Jeff's email "(sid 2000419 among others)".
>
otakar klier
Perhaps I am not understanding how to perform suppression's from ELSA? I can see all the alerts and the ones from the sites hosting EXE's, however how can they be autocatagorized or suppressed from this point?
Overall I'm looking for a way that I dont have to perform these categorizations daily since we have to for anything that is not set to auto-cat or suppress.
Doug Burks
On Tue, Jul 14, 2015 at 7:49 PM, otakar klier <zom...@gmail.com> wrote:
> Hello Jeff and Doug,
> Perhaps I am not understanding how to perform suppression's from ELSA?
> I can see all the alerts and the ones from the sites hosting EXE's, however how can they be autocatagorized or suppressed from this point?
then you can manually autocat/suppress the IDS alerts that you no
longer need.
> Overall I'm looking for a way that I dont have to perform these categorizations daily since we have to for anything that is not set to auto-cat or suppress.
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts#suppressions
To create an autocat:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ManagingAlerts#autocategorize-events