Snort mailing list archives

RE: Where do I go from here

From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Tue, 15 Nov 2005 20:21:53 -0500

If you have a Class B address space, as many of us early .edu sites do,
one gets tired very early on of the thousands of firewall log deny
entries per day and the tons of IDS alerts found outside the firewall.

For a site with a limited number of public IP addrs, I can agree that a
probe outside the firewall might well be instructive.

Bruce


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Lee
Clemens
Sent: Tuesday, November 15, 2005 7:54 PM
To: 'Timothy A. Holmes'; 'snort'
Subject: RE: [Snort-users] Where do I go from here

I agree, although it is a great learning experience to keep a sensor
outside of your firewall. I learned a great deal due to the increased
frequency of attacks. When my router is set up properly there aren't any
unsolicited incoming packets (that I've seen), so it can be a bit
boring. 

For now, I'd have to recommend keeping it outside, so that you can get a
feel for the setup. More data coming into BASE will help you move about,
and then you will have a better idea of what to expect if you move the
sensor inside the firewall and wonder, Is this thing on? -- as you'll
hopefully get far fewer alerts. 

Ideally you would have at least two taps, one right in front of your
firewall and one directly behind. Then you could compare the data from
the two and identify what is getting through and work on figuring out
the why.

My two cents
Lee

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Briggs,
Bruce
Sent: Tuesday, November 15, 2005 4:01 PM
To: Timothy A. Holmes; snort
Subject: RE: [Snort-users] Where do I go from here

So you are monitoring what is outside you door in a crime-ridden
neighborhood (the Internet).
This does not tell you what is coming through your door (your firewall).
 
Personally, I care what makes it into my network.  I don't care all that
much about what does not make it into my network.
So for me, I want an IDS inside my network.  For me, an IPS is a better
candidate to be outside your firewall than an IDS.
 
Bruce

________________________________

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Timothy A.
Holmes
Sent: Tuesday, November 15, 2005 2:16 PM
To: snort
Subject: [Snort-users] Where do I go from here



Hi Folks:

After some fits and starts, I believe that I have a functional IDS Box
watching the front door now, and I took out the back door (Wireless ap)
and repaired the hole in the wall with bricks and mortar

 

So, I guess the next question is what is the next step?



To summarize, I have a SNORT box up and sniffing on the inbound line
between the Cable Modem and the Firewall.  The management port is inside
the firewall and has an IP on it while the sniffing port is outside the
firewall and does not have one.  

 

I am logging to a mysql database, and running base for reporting.

 

As of the last check, I have received about 4500 alerts today, here is
the breakdown from base on them

 

Displaying alerts 1-7 of 7 total







   

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=sig_a

Signature >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=sig_d

 


 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=class
_a>
Classification >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=class
_d>


 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=occur
_a>
Total # >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=occur
_d>


 Sensor # 

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=saddr
_a>
Source Address >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=saddr
_d>


 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=daddr
_a>
Dest. Address >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=daddr
_d>


 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=first
_a>
First >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=first
_d>


 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=last_
a>
Last >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=last_
d>  

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=3> ] (portscan) TCP
Portsweep 

unclassified 

55
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D
=1&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=1&
sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=1>  

31
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=1>  

2005-11-15 03:06:05 

2005-11-15 13:12:23 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open
Port


unclassified 

3679
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D
=2&sig_type=1&submit=Query+DB&num_result_rows=-1> (33%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=2&
sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=2>  

302
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=2>  

2005-11-15 03:06:08 

2005-11-15 13:12:28 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=4> ] (http_inspect)
BARE BYTE UNICODE ENCODING 

unclassified 

444
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D
=3&sig_type=1&submit=Query+DB&num_result_rows=-1> (4%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=3&
sig_type=1>  

2
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=3>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=3>  

2005-11-15 00:37:16 

2005-11-15 14:12:38 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=2> ] (http_inspect)
DOUBLE DECODING ATTACK 

unclassified 

21
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D
=4&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=4&
sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=4>  

9
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=4>  

2005-11-15 07:16:16 

2005-11-15 12:38:53 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=15> ] (http_inspect)
OVERSIZE REQUEST-URI DIRECTORY 

unclassified 

6
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D
=6&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=6&
sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=6>  

3
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=6>  

2005-11-15 10:43:42 

2005-11-15 11:46:43 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=1> ] (portscan) TCP
Portscan 

unclassified 

3
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D
=9&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=9&
sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=9>  

3
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=9>  

2005-11-15 10:36:26 

2005-11-15 10:36:42 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=16> ] (http_inspect)
OVERSIZE CHUNK ENCODING 

unclassified 

3
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D
=13&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=13
&sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=13>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=13>  

2005-11-15 11:45:36 

2005-11-15 11:46:40 

 

 

 

I guess I need to know what to do next and how to begin utilizing this
data to better protect my network

 

Anyone who can help, or point me to the proper resources would be
greatly appreciated

 

TIM



 

Timothy A. Holmes

IT Manager / Network Admin / Web Master / Computer Teacher

 

Medina Christian Academy

A Higher Standard...

 

Jeremiah 33:3

Jeremiah 29:11

Esther 4:14 





-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam for All
Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Where do I go from here Timothy A. Holmes (Nov 15)
- <Possible follow-ups>
- RE: Where do I go from here Briggs, Bruce (Nov 15)
  - RE: Where do I go from here Lee Clemens (Nov 15)
- RE: Where do I go from here Briggs, Bruce (Nov 15)
- Re: Where do I go from here Richard Bejtlich (Nov 15)