Snort mailing list archives
Thresholding the Cyberkit ICMP Ping rule
From: Brice B <nesta () iceburg net>
Date: Tue, 30 Dec 2003 20:55:59 -0600
Greetings! << YOU CAN SKIP THIS NARRATIVE >>I've been getting way too many ICMP PING CyberKit 2.2 Windows alerts from my SNORT IDS. Too many in fact for me to attempt to disable all ICMP traffic using iptables. Of course this didn't work because SNORT sees the ethernet packets *before* they reach the iptables firewall (libcap), and thus keep filling up my alert log [10/minute].
I have the following setup:A 1U server colocated. It runs apache, horde/imp, exim, courier IMAP, SNORT, iptables, etc. etc.
It is the only machine I'm responsible for on the network.. so you might say why don't I just disable the Cyberkit rule? Well, I think its a good idea to know what machines on my LAN are infected, so that I can blacklist them and notify their administrators. This is, afterall, a worm propigation attempt...
<< READ HERE >> So, I upgraded to snort 2.1.0 in order to use its "thresholding" feature. I've added the following line(s) to my threshold.conf: ----# supress CyberKit Ping when source is ! From Local Network - ie. Ping originates from local network
suppress gen_id 1, sig_id 483, track by_src, ip !88.88.88.0/24 ----My logs are still filling up w/ Cyberkit ping alerts even through they're originating from machines OUTSIDE of my network ??
Any Ideas? << DEBUGGING >> ---- maestro:/etc/snort# snort -V -*> Snort! <*- Version 2.1.0 (Build 9) By Martin Roesch (roesch () sourcefire com, www.snort.org) ---- maestro:/home/nesta# cat /etc/snort/snort.conf #-------------------------------------------------- # http://www.snort.org Snort 2.1.0 Ruleset # Contact: snort-sigs () lists sourceforge net #-------------------------------------------------- # $Id: snort.conf,v 1.133 2003/12/18 17:05:07 cazz Exp $ # ################################################### # This file contains a sample snort configuration. # You can take the following steps to create your own custom configuration: # # 1) Set the network variables for your network # 2) Configure preprocessors # 3) Configure output plugins # 4) Customize your rule set # ###################################################var HOME_NET [88.88.88.220,88.88.88.221,88.88.88.222,88.88.88.223,88.88.88.224,88.88.88.225,88.88.88.226,88.88.88.227,88.88.88.228,88.88.88.229]
var EXTERNAL_NET !88.88.88.0/24 # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # List of snmp servers on your network var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 # Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
# Path to your rules files (this can be a relative path) var RULE_PATH /etc/snort/rules preprocessor frag2 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_inspect: global \ iis_unicode_map $RULE_PATH/unicode.map 1252 preprocessor http_inspect_server: server default \ profile all \ ports { 80 8080 } preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decodeoutput database: alert, mysql, user=snort password=XXXXXX dbname=snort host=localhost
include $RULE_PATH/classification.config include $RULE_PATH/reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/experimental.rules ### THESE WERE ALL COMMENTED OUT include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/porn.rules include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules include $RULE_PATH/chat.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules # Include any thresholding or suppression commands include threshold.conf Thanks for any advice! Regards, Brice Burgess - iCEBURG ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Thresholding the Cyberkit ICMP Ping rule Brice B (Dec 30)