Snort mailing list archives
RE: Where do I go from here
From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Tue, 15 Nov 2005 20:21:53 -0500
If you have a Class B address space, as many of us early .edu sites do, one gets tired very early on of the thousands of firewall log deny entries per day and the tons of IDS alerts found outside the firewall. For a site with a limited number of public IP addrs, I can agree that a probe outside the firewall might well be instructive. Bruce -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Lee Clemens Sent: Tuesday, November 15, 2005 7:54 PM To: 'Timothy A. Holmes'; 'snort' Subject: RE: [Snort-users] Where do I go from here I agree, although it is a great learning experience to keep a sensor outside of your firewall. I learned a great deal due to the increased frequency of attacks. When my router is set up properly there aren't any unsolicited incoming packets (that I've seen), so it can be a bit boring. For now, I'd have to recommend keeping it outside, so that you can get a feel for the setup. More data coming into BASE will help you move about, and then you will have a better idea of what to expect if you move the sensor inside the firewall and wonder, Is this thing on? -- as you'll hopefully get far fewer alerts. Ideally you would have at least two taps, one right in front of your firewall and one directly behind. Then you could compare the data from the two and identify what is getting through and work on figuring out the why. My two cents Lee -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Briggs, Bruce Sent: Tuesday, November 15, 2005 4:01 PM To: Timothy A. Holmes; snort Subject: RE: [Snort-users] Where do I go from here So you are monitoring what is outside you door in a crime-ridden neighborhood (the Internet). This does not tell you what is coming through your door (your firewall). Personally, I care what makes it into my network. I don't care all that much about what does not make it into my network. So for me, I want an IDS inside my network. For me, an IPS is a better candidate to be outside your firewall than an IDS. Bruce ________________________________ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Timothy A. Holmes Sent: Tuesday, November 15, 2005 2:16 PM To: snort Subject: [Snort-users] Where do I go from here Hi Folks: After some fits and starts, I believe that I have a functional IDS Box watching the front door now, and I took out the back door (Wireless ap) and repaired the hole in the wall with bricks and mortar So, I guess the next question is what is the next step? To summarize, I have a SNORT box up and sniffing on the inbound line between the Cable Modem and the Firewall. The management port is inside the firewall and has an IP on it while the sniffing port is outside the firewall and does not have one. I am logging to a mysql database, and running base for reporting. As of the last check, I have received about 4500 alerts today, here is the breakdown from base on them Displaying alerts 1-7 of 7 total < <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=sig_a
Signature > <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=sig_d
< <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=class _a> Classification > <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=class _d> < <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=occur _a> Total # > <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=occur _d> Sensor # < <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=saddr _a> Source Address > <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=saddr _d> < <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=daddr _a> Dest. Address > <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=daddr _d> < <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=first _a> First > <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=first _d> < <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=last_ a> Last > <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=last_ d> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=3> ] (portscan) TCP Portsweep unclassified 55 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D =1&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=1& sig_type=1> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B 0%5D=%3D&sig%5B1%5D=1> 31 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B 0%5D=%3D&sig%5B1%5D=1> 2005-11-15 03:06:05 2005-11-15 13:12:23 [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open Port unclassified 3679 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D =2&sig_type=1&submit=Query+DB&num_result_rows=-1> (33%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=2& sig_type=1> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B 0%5D=%3D&sig%5B1%5D=2> 302 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B 0%5D=%3D&sig%5B1%5D=2> 2005-11-15 03:06:08 2005-11-15 13:12:28 [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=4> ] (http_inspect) BARE BYTE UNICODE ENCODING unclassified 444 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D =3&sig_type=1&submit=Query+DB&num_result_rows=-1> (4%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=3& sig_type=1> 2 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B 0%5D=%3D&sig%5B1%5D=3> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B 0%5D=%3D&sig%5B1%5D=3> 2005-11-15 00:37:16 2005-11-15 14:12:38 [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=2> ] (http_inspect) DOUBLE DECODING ATTACK unclassified 21 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D =4&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=4& sig_type=1> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B 0%5D=%3D&sig%5B1%5D=4> 9 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B 0%5D=%3D&sig%5B1%5D=4> 2005-11-15 07:16:16 2005-11-15 12:38:53 [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=15> ] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY unclassified 6 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D =6&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=6& sig_type=1> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B 0%5D=%3D&sig%5B1%5D=6> 3 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B 0%5D=%3D&sig%5B1%5D=6> 2005-11-15 10:43:42 2005-11-15 11:46:43 [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=1> ] (portscan) TCP Portscan unclassified 3 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D =9&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=9& sig_type=1> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B 0%5D=%3D&sig%5B1%5D=9> 3 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B 0%5D=%3D&sig%5B1%5D=9> 2005-11-15 10:36:26 2005-11-15 10:36:42 [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=16> ] (http_inspect) OVERSIZE CHUNK ENCODING unclassified 3 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D =13&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=13 &sig_type=1> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B 0%5D=%3D&sig%5B1%5D=13> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B 0%5D=%3D&sig%5B1%5D=13> 2005-11-15 11:45:36 2005-11-15 11:46:40 I guess I need to know what to do next and how to begin utilizing this data to better protect my network Anyone who can help, or point me to the proper resources would be greatly appreciated TIM Timothy A. Holmes IT Manager / Network Admin / Web Master / Computer Teacher Medina Christian Academy A Higher Standard... Jeremiah 33:3 Jeremiah 29:11 Esther 4:14 ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_idv28&alloc_id845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Where do I go from here Timothy A. Holmes (Nov 15)
- <Possible follow-ups>
- RE: Where do I go from here Briggs, Bruce (Nov 15)
- RE: Where do I go from here Lee Clemens (Nov 15)
- RE: Where do I go from here Briggs, Bruce (Nov 15)
- Re: Where do I go from here Richard Bejtlich (Nov 15)