Snort mailing list archives
Re: Snort Configurations
From: "Greg Lane" <greglane () laneconstinc com>
Date: Thu, 23 Sep 2010 10:01:56 -0500
How would I know if I'm not using preprocessor rules? I wouldn't be getting the alert if I wasn't or am I wrong in assuming that? Im looking at my snort.conf file and the path to preprocessor rules is correct but I also found in step 8 looked like this # decoder and preprocessor event rules # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules I then uncommented preprocessor.rules var and it still is giving me the alert. I'm sorry if I'm a nuisance but I'm learning this all at once and it seems that it should be not alerting at this point and trying to figure out why. Greg Lane IT Manager Lane Enterprises Email: greglane () laneconstinc com Phone: (228)872-2414 -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, September 23, 2010 9:51 AM To: Greg Lane Subject: Re: [Snort-users] Snort Configurations Then you must not be using the preprocessor rules or something. It depends on your compile. Go with the suppressions, they'll kill it either way. J On Thu, Sep 23, 2010 at 10:49 AM, Greg Lane <greglane () laneconstinc com> wrote:
I did twice. I killed both the snort and barnyard2 processes and started them again in the terminal and read barnyard2's output and the rule I commented out in the preprocessor.rules file is still there. In fact I commented out all the http rules in the preprocessor.rules file and still getting the alerts. I looked in the gen-msg file and wonder if I should comment those out also but they shouldn't even be getting to that point if my logic is correct because the rule shouldn't be alerting. Greg Lane IT Manager Lane Enterprises Email: greglane () laneconstinc com Phone: (228)872-2414 -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, September 23, 2010 9:45 AM To: Greg Lane Cc: Alex Tatistcheff; snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Configurations "Or you can suppress the output in threshold.conf with something like: suppress gen_id 119, sig_id 13" Make sure you restart Snort after the changes. J On Thu, Sep 23, 2010 at 10:22 AM, Greg Lane <greglane () laneconstinc com> wrote:Im commenting out the rules in the preprocessor.rules file and Im still getting the alert. Gen_id 119 sid 19 long header. Why is it still alerting? Greg Lane IT Manager Lane Enterprises Email: greglane () laneconstinc com Phone: (228)872-2414 From: alex.tatistcheff () gmail com [mailto:alex.tatistcheff () gmail com] On Behalf Of Alex Tatistcheff Sent: Wednesday, September 22, 2010 9:46 PM To: Greg Lane Cc: wkitty42 () windstream net; snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Configurations You can suppress the alerting and not affect the normalization (the important part) of the http_inspect preprocessor by commenting out therulesin the preprocessor.rules file. Or you can suppress the output in threshold.conf with something like: suppress gen_id 119, sig_id 13 The first option is what I would recommend. Alex Tatistcheff alext () pobox com The most terrifying words in the English language are, "I'm from the government and I'm here to help." -Ronald Reagan On Wed, Sep 22, 2010 at 1:01 PM, Greg Lane <greglane () laneconstinc com> wrote: Well there are 3 types of http_inspects that I am getting mainly. http_inspect: LONG HEADER, http_inspect: NON-RFC DEFINED CHAR, http_inspect: OVERSIZE REQUEST-URI DIRECTORY. Everyone of the sources are from inside my network. Many of them are to amazon EC, quantserve.com(cookie related), yahoo, google, facebook, and Pandora. So you can see that most of the traffic is legit and it isn't being triggered from outside the domain. I'm just not sure how to cutdownon the number of alerts. When I get that done I will move on to the next but I am trying to do this in steps so that I can understand everythingthatis going on Greg Lane IT Manager Lane Enterprises Email: greglane () laneconstinc com Phone: (228)872-2414 -----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Wednesday, September 22, 2010 1:21 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Configurations On 9/22/2010 12:39, Greg Lane wrote:Im starting to learn how to tune my Snort install and it is a slow process. I have alerts like crazy because I know it needs to be tuned and I especially have a lot of http_inspect alerts coming up. Ive been reading and from what
I
can gather if you dont have a websever you may not really need this in operation or am I wrong?the answer is "it depends"... it depends on if you want to monitoroutboundhttp traffic to possibly catch infestations on your network that are reportinginor attacking remote http servers... you might also catch (and be able to prevent) internal machines that are being redirected to driveby sites that would (attempt to) load them with infestation materials...If I am wrong then what is the best possible solution for me to cut down most of the alerts which are false positives so to speak or arent dangerous at all? This will probably be one of many questions concerning configs coming to an email box near you.false positives need to be reported to those who write those rules so
they
can be looked into and adjusted if necessary...
----------------------------------------------------------------------------
--Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
----------------------------------------------------------------------------
--Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
----------------------------------------------------------------------------
--Nokia and AT&T present the 2010 Calling All Innovators-North AmericacontestCreate new apps & games for the Nokia N8 for consumers in U.S. and
Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M inmarketingDevelop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Configurations Greg Lane (Sep 22)
- Re: Snort Configurations waldo kitty (Sep 22)
- Re: Snort Configurations Greg Lane (Sep 22)
- Re: Snort Configurations Alex Tatistcheff (Sep 22)
- Re: Snort Configurations Greg Lane (Sep 23)
- Re: Snort Configurations Joel Esler (Sep 23)
- Message not available
- Message not available
- Re: Snort Configurations Greg Lane (Sep 23)
- Re: Snort Configurations Joel Esler (Sep 23)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Snort Configurations Greg Lane (Sep 23)
- Re: Snort Configurations Joel Esler (Sep 23)
- Re: Snort Configurations Greg Lane (Sep 23)
- Re: Snort Configurations Eoin Miller (Sep 23)
- Re: Snort Configurations Russ Combs (Sep 24)
- Re: Snort Configurations Greg Lane (Sep 24)
- Re: Snort Configurations Greg Lane (Sep 22)
- Re: Snort Configurations waldo kitty (Sep 22)
- Message not available
- Re: Snort Configurations Greg Lane (Sep 23)
- Re: Snort Configurations waldo kitty (Sep 23)
- Re: Snort Configurations waldo kitty (Sep 23)