Thresholding the Cyberkit ICMP Ping rule

[Brice B <nesta () iceburg net>]

Greetings!

<< YOU CAN SKIP THIS NARRATIVE >>
 I've been getting way too many ICMP PING CyberKit 2.2 Windows alerts 
from my SNORT IDS. Too many in fact for me to attempt to disable all 
ICMP traffic using iptables. Of course this didn't work because SNORT 
sees the ethernet packets *before* they reach the iptables firewall 
(libcap), and thus keep filling up my alert log [10/minute].

 I have the following setup:

 A 1U server colocated. It runs apache, horde/imp, exim, courier IMAP, 
SNORT, iptables, etc. etc.

 It is the only machine I'm responsible for on the network.. so you 
might say why don't I just disable the Cyberkit rule? Well, I think its 
a good idea to know what machines on my LAN are infected, so that I can 
blacklist them and notify their administrators. This is, afterall, a 
worm propigation attempt...

<< READ HERE >>
 So, I upgraded to snort 2.1.0 in order to use its "thresholding" feature.

 I've added the following line(s) to my threshold.conf:
----
# supress CyberKit Ping when source is ! From Local Network - ie. Ping  
originates from local network
suppress gen_id 1, sig_id 483, track by_src, ip !88.88.88.0/24
----

My logs are still filling up w/ Cyberkit ping alerts even through 
they're originating from machines OUTSIDE of my network ??
Any Ideas?


<< DEBUGGING >>
----
maestro:/etc/snort# snort -V

-*> Snort! <*-
Version 2.1.0 (Build 9)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
----

maestro:/home/nesta# cat /etc/snort/snort.conf
#--------------------------------------------------
#   http://www.snort.org     Snort 2.1.0 Ruleset
#     Contact: snort-sigs () lists sourceforge net
#--------------------------------------------------
# $Id: snort.conf,v 1.133 2003/12/18 17:05:07 cazz Exp $
#
###################################################
# This file contains a sample snort configuration.
# You can take the following steps to create your own custom configuration:
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
###################################################

var HOME_NET 
[88.88.88.220,88.88.88.221,88.88.88.222,88.88.88.223,88.88.88.224,88.88.88.225,88.88.88.226,88.88.88.227,88.88.88.228,88.88.88.229]

var EXTERNAL_NET !88.88.88.0/24

# List of DNS servers on your network
var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

var AIM_SERVERS 
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort/rules


preprocessor frag2

preprocessor stream4: disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \
   iis_unicode_map $RULE_PATH/unicode.map 1252

preprocessor http_inspect_server: server default \
   profile all \
   ports { 80 8080 }


preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor telnet_decode



output database: alert, mysql, user=snort password=XXXXXX dbname=snort 
host=localhost


include $RULE_PATH/classification.config


include $RULE_PATH/reference.config


include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules

include $RULE_PATH/experimental.rules


### THESE WERE ALL COMMENTED OUT
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules

# Include any thresholding or suppression commands
include threshold.conf


Thanks for any advice!

Regards,

 Brice Burgess - iCEBURG








-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users