Rule still triggering even after modifying to ignore IP range

[Andi Morris]

Apologies if this should be directed to the snort mailing list instead of here.

I have a rule that is triggering a lot, but I'm aware of why, and want to supress it.

The modified rule is declared in local.rules as below:

alert tcp ![192.168.4.0/24],$EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection closing string plus line comment"; flow: to_server,established; content:"'|00|"; content:"-|00|-|00|"; reference:url,owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/bin/view/Main/2000488; classtype:attempted-user; sid:90000001; rev:1;)

The range 192.168.4.0/24 is part of my $HOME_NET range, but I know that this particular rule triggering from here is ok, so I don't want to see alerts any more.

I have tried the NOT argument with and without the square brackets, but it doesn't seem to make any difference.

An example of the trigger from Snorby is:
nsmserver-eth2:7 192.168.4.132 192.168.110.109 ET EXPLOIT MS-SQL SQL Injection closing string plus line comment

Clicking View Rule in snorby does show the modified rule, as above.

I'm seeing this for other rules that I have modified too, so I think there's something I've missed somewhere. Can anyone tell me what I've done wrong please?

Cheers,
Andi

[Shane Castle]

It seems to me that you don't have $EXTERNAL_NET set correctly. Many
installations set $HOME_NET appropriately and then set $EXTERNAL_NET to
its complement, that is, essentially !$HOME_NET. If $EXTERNAL_NET is
still set to 'any' (which IIRC it is by default) that explains why you
are seeing it and why your new rule has no effect.

I looked up the original rule:

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL

SQL Injection closing string plus line comment"; flow:
to_server,established; content:"'|00|"; content:"-|00|-|00|";
reference:url,owasp.org/index.php/SQL_Injection;
reference:url,doc.emergingthreats.net/bin/view/Main/2000488;

classtype:attempted-user; sid:2000488; rev:8;)

Setting both $HOME_NET and $EXTERNAL_NET correctly will cut out a lot of
FP alerts.

--
Mit besten Grüßen
Shane Castle

[Andi Morris]

Thanks Shane.

I've toyed with having EXTERNAL_NET set to !HOME_NET, but I was concerned about missing out on internal triggers, so I set it back to ANY.

Am I correct in saying then that if ANY is set in a rule that there's no way to filter that down at all?

Cheers,
Andi

[Shane Castle]

With IP address lists in snort rules, you are creating a set which is
the union of all the IP address list elements, so yes. If you want to
retain the mapping of 'any' to $EXTERNAL_NET you can just remove that
from your list. The specification of '!192.168.1.0/24' includes in its
members every IP address that is not yours :).

Have you downloaded the Snort user guide PDF? Look here:
https://www.snort.org/#documents

[Shane Castle]

Also, a possibly easier way to handle this rule is to use modifysid.conf:

1:2000488 "\$EXTERNAL_NET" "![192.168.4.0/24]"

If you already have it in disablesid.conf you will need to remove it.

On 03.06.2015 12:44, Andi Morris wrote:

[Andi Morris]

I have read that section of the user guide, and I thought I'd configured the rule correctly to ignore the 192.168.4.0/24 subnet. I've just checked again, and as far as I can see it should work.

I like the modifysid idea though! I'll have a go at that now.

Thank you!

--
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/yBKd7BkHdCU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.