Snort/Snorby not filtering
107 views
Skip to first unread message
jspud...@gmail.com
Nov 21, 2014, 1:03:55 PM11/21/14
to securit...@googlegroups.com
Yes I know this has been asked on here, but I am unable to find a solution to the previous times this was asked, so I am asking this question again.
This is killing me, but I can not get my snort alerts to be filtered/limited alerts. I have a few signatures that are just pounding me with alerts (ie old flash version, policy for microsoft skydrive etc) and all I want to do is limit them to alerting me to once a day for each IP it sees.
I have attempted to update /etc/nsm/thresholds.conf with this:
#event_filter gen_id 1, sig_id 2014726, type limit, track by_src, count 1, seconds 86400
but it has zero affect. I have also tried updating pulled porks modifysid to this:
2014726 "seconds 60" "seconds "86400"
And I still get alerts in snorby. This is driving me crazy.
Can anyone share with me why this might be happening or how we can limit the alerts that get sent to Snorby?
I am currently running snort using 4 processes so under /nsm/sensor_data/<sensor name>/ i have snort-1, snort-2, snort-3, and snort-4 directories if that matters.
This is killing me, but I can not get my snort alerts to be filtered/limited alerts. I have a few signatures that are just pounding me with alerts (ie old flash version, policy for microsoft skydrive etc) and all I want to do is limit them to alerting me to once a day for each IP it sees.
I have attempted to update /etc/nsm/thresholds.conf with this:
#event_filter gen_id 1, sig_id 2014726, type limit, track by_src, count 1, seconds 86400
but it has zero affect. I have also tried updating pulled porks modifysid to this:
2014726 "seconds 60" "seconds "86400"
And I still get alerts in snorby. This is driving me crazy.
Can anyone share with me why this might be happening or how we can limit the alerts that get sent to Snorby?
I am currently running snort using 4 processes so under /nsm/sensor_data/<sensor name>/ i have snort-1, snort-2, snort-3, and snort-4 directories if that matters.
Heine Lysemose
Nov 21, 2014, 1:21:49 PM11/21/14
to securit...@googlegroups.com
Hi
3 things...
Are you sure you are not seeing a backlog from the previous hits?
In your post you had a # in front of the rule. Make sure that's not the case in the threshold.conf file.
And afterwards remember to sudo rule-update to have the change to take effect.
Regards,
Lysemose
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
jspud...@gmail.com
Nov 21, 2014, 1:39:14 PM11/21/14
to securit...@googlegroups.com
Lysemose, thanks for the response.
1. The alerts I'm seeing within Snorby have a current (with in the minute) timestamp. Does that mean I'm current or could that still be me processing previous alerts and it just gets time stamped with the current time? I'm trying to figure out how I can tell if I am processing old alerts.
2. The comment was a copy paste error...sorry. Yes I had it un-commented when testing.
3. I did run rule-update
4. What is the best way to hand limiting alerts? Threshold.conf or modifysid?
1. The alerts I'm seeing within Snorby have a current (with in the minute) timestamp. Does that mean I'm current or could that still be me processing previous alerts and it just gets time stamped with the current time? I'm trying to figure out how I can tell if I am processing old alerts.
2. The comment was a copy paste error...sorry. Yes I had it un-commented when testing.
3. I did run rule-update
4. What is the best way to hand limiting alerts? Threshold.conf or modifysid?
jspud...@gmail.com
Nov 21, 2014, 2:24:50 PM11/21/14
to securit...@googlegroups.com
UGH..this should not be this hard. I must be missing something. I still get alerts that are not filtered/limited. I am now just trying to use threshold.conf to limit them to once a day.
I see this message when restarting using "rule-update"
Restarting: nsm-monitor-eth1
* starting: snort-1 (alert data) [ FAIL ]
- check /var/log/nsm/nsm-monitor-eth1/snortu-1.log for error messages
* starting: snort-2 (alert data) [ FAIL ]
- check /var/log/nsm/nsm-monitor-eth1/snortu-2.log for error messages
* starting: snort-3 (alert data) [ FAIL ]
- check /var/log/nsm/nsm-monitor-eth1/snortu-3.log for error messages
* starting: snort-4 (alert data) [ FAIL ]
- check /var/log/nsm/nsm-monitor-eth1/snortu-4.log for error messages
and the error in the log file looks like this:
ERROR: /etc/nsm/rules/downloaded.rules(8508) threshold (in rule): could not create threshold - only one per sig_id=2014726.
Fatal Error, Quitting..
My threshold.conf has this:
event_filter gen_id 1, sig_id 2014726, type limit, track by_src, count 1, seconds 86400
Anyone know why I can't limit this rule to only show up as an alert once in a 24-hour period?
I see this message when restarting using "rule-update"
Restarting: nsm-monitor-eth1
* starting: snort-1 (alert data) [ FAIL ]
- check /var/log/nsm/nsm-monitor-eth1/snortu-1.log for error messages
* starting: snort-2 (alert data) [ FAIL ]
- check /var/log/nsm/nsm-monitor-eth1/snortu-2.log for error messages
* starting: snort-3 (alert data) [ FAIL ]
- check /var/log/nsm/nsm-monitor-eth1/snortu-3.log for error messages
* starting: snort-4 (alert data) [ FAIL ]
- check /var/log/nsm/nsm-monitor-eth1/snortu-4.log for error messages
and the error in the log file looks like this:
ERROR: /etc/nsm/rules/downloaded.rules(8508) threshold (in rule): could not create threshold - only one per sig_id=2014726.
Fatal Error, Quitting..
My threshold.conf has this:
event_filter gen_id 1, sig_id 2014726, type limit, track by_src, count 1, seconds 86400
Doug Burks
Nov 21, 2014, 7:47:14 PM11/21/14
to securit...@googlegroups.com
Based on the error, do you have multiple lines in threshold.conf for 2014726?
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
jspud...@gmail.com
Nov 25, 2014, 1:04:42 PM11/25/14
to securit...@googlegroups.com
Doug,
Thanks for responding. Good question as I did leave that information out, but no I do not have multiple entries in my threshold.conf. The only thing I can get to work using the threshold.conf file is suppression....that works great.
It appears I'm getting closer as maybe I was seeing some left over processing happening. But it still fires multiple times, before it appears stops it. I have included a screen shot, so you can see what I am talking about.
Is this happening because I have 4 snort instances running? Sometimes the alerts are from the same sensor i.e. "nsm-monitor-eth1:4" and sometimes I see them listed multiple times from *each* sensor i.e. "nsm-monitor-eth1:1, nsm-monitor-eth1:2, nsm-monitor-eth1:3"
FYI the first two events in the screenshot from host ".124" are on the same snort instance eth1:4.
Thanks for responding. Good question as I did leave that information out, but no I do not have multiple entries in my threshold.conf. The only thing I can get to work using the threshold.conf file is suppression....that works great.
It appears I'm getting closer as maybe I was seeing some left over processing happening. But it still fires multiple times, before it appears stops it. I have included a screen shot, so you can see what I am talking about.
Is this happening because I have 4 snort instances running? Sometimes the alerts are from the same sensor i.e. "nsm-monitor-eth1:4" and sometimes I see them listed multiple times from *each* sensor i.e. "nsm-monitor-eth1:1, nsm-monitor-eth1:2, nsm-monitor-eth1:3"
FYI the first two events in the screenshot from host ".124" are on the same snort instance eth1:4.
Doug Burks
Nov 25, 2014, 9:54:27 PM11/25/14
to securit...@googlegroups.com
Replies inline.
On Tue, Nov 25, 2014 at 1:04 PM, <jspud...@gmail.com> wrote:
> Doug,
> Thanks for responding. Good question as I did leave that information out, but no I do not have multiple entries in my threshold.conf.
Looking at it again...that rule contains a threshold itself and so
Snort generates an error if you try to define an additional threshold
for the rule in threshold.conf. One option to consider would be
modifying the default threshold using
/etc/nsm/pulledpork/modifysid.conf.
> The only thing I can get to work using the threshold.conf file is suppression....that works great.
> It appears I'm getting closer as maybe I was seeing some left over processing happening. But it still fires multiple times, before it appears stops it. I have included a screen shot, so you can see what I am talking about.
>
> Is this happening because I have 4 snort instances running? Sometimes the alerts are from the same sensor i.e. "nsm-monitor-eth1:4" and sometimes I see them listed multiple times from *each* sensor i.e. "nsm-monitor-eth1:1, nsm-monitor-eth1:2, nsm-monitor-eth1:3"
Yes, choosing 4 Snort instances in Setup results in
"nsm-monitor-eth1:1, nsm-monitor-eth1:2, nsm-monitor-eth1:3,
nsm-monitor-eth1:4".
After modifying threshold.conf, how are you restarting your Snort instances?
On Tue, Nov 25, 2014 at 1:04 PM, <jspud...@gmail.com> wrote:
> Doug,
> Thanks for responding. Good question as I did leave that information out, but no I do not have multiple entries in my threshold.conf.
Snort generates an error if you try to define an additional threshold
for the rule in threshold.conf. One option to consider would be
modifying the default threshold using
/etc/nsm/pulledpork/modifysid.conf.
> The only thing I can get to work using the threshold.conf file is suppression....that works great.
> It appears I'm getting closer as maybe I was seeing some left over processing happening. But it still fires multiple times, before it appears stops it. I have included a screen shot, so you can see what I am talking about.
>
> Is this happening because I have 4 snort instances running? Sometimes the alerts are from the same sensor i.e. "nsm-monitor-eth1:4" and sometimes I see them listed multiple times from *each* sensor i.e. "nsm-monitor-eth1:1, nsm-monitor-eth1:2, nsm-monitor-eth1:3"
"nsm-monitor-eth1:1, nsm-monitor-eth1:2, nsm-monitor-eth1:3,
nsm-monitor-eth1:4".
After modifying threshold.conf, how are you restarting your Snort instances?
jspud...@gmail.com
Nov 26, 2014, 3:04:53 PM11/26/14
to securit...@googlegroups.com
Doug,
I did add this to my modifysid in pulled pork:
2014726 "seconds 60" "seconds 86400"
That resulted in my downloaded.rule to look like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outdated Windows Flash Version IE"; flow:established,to_server; content:"x-flash-version|3a| "; http_header; content:!"15,0,0,239|0d 0a|"; distance:0; within:12; http_header; content:"MSIE "; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?MSIE\s/Hm"; threshold: type limit, count 1, seconds 86400, track by_src; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2014726; rev:45;)
This *appears* to be correct yes? I just dont get why it is firing multiple times...sometimes even on the same sensor i.e. nsm-monitor:eth1:3 will have 2 or more alerts on the same day.
I restart with this: sudo rule-update
I did add this to my modifysid in pulled pork:
2014726 "seconds 60" "seconds 86400"
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outdated Windows Flash Version IE"; flow:established,to_server; content:"x-flash-version|3a| "; http_header; content:!"15,0,0,239|0d 0a|"; distance:0; within:12; http_header; content:"MSIE "; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?MSIE\s/Hm"; threshold: type limit, count 1, seconds 86400, track by_src; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2014726; rev:45;)
This *appears* to be correct yes? I just dont get why it is firing multiple times...sometimes even on the same sensor i.e. nsm-monitor:eth1:3 will have 2 or more alerts on the same day.
I restart with this: sudo rule-update
Doug Burks
Nov 26, 2014, 3:07:26 PM11/26/14
to securit...@googlegroups.com
When nsm-monitor-eth1:3 alerts more than once on the same day, what
are the timestamps?
Is there a Snort restart between the two timestamps?
are the timestamps?
Is there a Snort restart between the two timestamps?
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages