Re: Common false positives

[Bennett Todd <bet () rahul net>]

2003-02-25T11:10:28 John Cherbini:
> I was simply wondering if those of you with more experience with
> snort could share some of the rules that are generally found to be
> false positives.

This depends wildly on local details; depending on whether your
environment makes it feasable for you to really meaningfully
populate HOME_NET, EXTERNAL_NET, *_SERVERS, *_PORTS; depending on
whether the traffic patterns your snort is exposed to trigger lots
of false-positives from portscan2, etc.

Another factor is the location of your sensor. Snorts listening
_inside_ firewalls tend to have few "real" incidents, and most of
their output is false positives; this can make them easier to tune.
Snorts placed outside firewalls, showing all traffic arriving at the
doorstep from the wide-open internet, are often very very noisy,
with all the knob-twisters and failed attack attempts showing up.
But are these "false positives"? Many would say no.

Furthermore, some sigs winge about routing network yammering that
reflects the existence of running Windows systems; not everyone
agrees that such devices constitute attacks:-). Some snort sensor
placement intrinsically prevents the sensor from seeing such
traffic; other placements don't.

A simple alert summarizing script (I append a throwaway I wrote once
for this) can be helpful in deciding what to hammer at first.

-Bennett

#!/usr/bin/perl -w
use strict;
use IO::File;

my $sid = IO::File->new("</etc/snort/sid-msg.map") || die;
my %sid;
while (defined($_ = $sid->getline)) {
    next unless /^\d+\s*\|\|/;
    chomp;
    my ($sid, $msg, @refs) = split /\s*\|\|\s*/, $_;
    $_ = "$msg";
    $_ .= " [@refs]" if @refs;
    $sid{$sid} = $_;
}

my %alerts;

while (<>) {
    next unless /^\S+\s+\[\*\*\] \[1:(\d+)/;
    $alerts{$1}++;
}

for (sort { $a <=> $b } keys %alerts) {
    printf "%5d %5d %s\n", $_, $alerts{$_}, $sid{$_};
}

Attachment: _bin
Description: