Re: Snort Configurations

[Joel Esler <jesler () sourcefire com>]

The thing about the install guides is that they are great for people that
want to get Snort up and running quickly with the options that the
"guide-writer" has.  Every network is different and each network will need
it's own specific compile.

I generally recommend that people specifically compile Snort using the VRT's
snort.conf's suggestions. (at the top of the snort.conf there are compile
options.)  Then if you need to adjust fire from there, you can do that.
 Snort is very flexible that way.

Joel

On Thu, Sep 23, 2010 at 1:38 PM, Greg Lane <greglane () laneconstinc com>wrote:

>  That is was what I was guessing would be the end solution instead of
> recompiling because recompiling might mean starting all over.  I just needed
> to understand why it wasn’t working by reconfiguring the rules files and the
> snort.conf also.  I can handle the suppression file I believe.  If I can
> with one last question since you brought up the compile issue is there
> anything else in particular that I might look out for that might have to do
> with how I did compile snort?   Either way I appreciate all the help and I’m
> sure this won’t be the last email that you or the list will see with
> questions about configs from me.
>
>
>
> *Greg Lane*
>
> *IT Manager*
>
> *Lane Enterprises*
>
>
>
> *Email:*  greglane () laneconstinc com
>
> *Phone:* (228)872-2414
>
>
>
> *From:* Joel Esler [mailto:jesler () sourcefire com]
> *Sent:* Thursday, September 23, 2010 11:09 AM
>
> *To:* Greg Lane
> *Subject:* Re: [Snort-users] Snort Configurations
>
>
>
> If you don't want to recompile, you should use the suppressions like we've
> been telling you.  If you want to recompile, then you need to use the
> following compile tags from the VRT snort.conf:
>
>
>
> --enable-sourcefire --enable-reload --enable-targetbased --enable-zlib
> --enable-ipv6 --enable-gre --enable-mpls --enable-ppm --enable-perfprofiling
>
> On Thu, Sep 23, 2010 at 12:07 PM, Greg Lane <greglane () laneconstinc com>
> wrote:
>
> So is that fixable?  I would think that changing the conf file would make
> the difference there because doesn’t it follow the guidelines of that file?
>
>
>
> *Greg Lane*
>
> *IT Manager*
>
> *Lane Enterprises*
>
>
>
> *Email:*  greglane () laneconstinc com
>
> *Phone:* (228)872-2414
>
>
>
> *From:* Joel Esler [mailto:jesler () sourcefire com]
> *Sent:* Thursday, September 23, 2010 11:04 AM
>
>
> *To:* Greg Lane
> *Subject:* Re: [Snort-users] Snort Configurations
>
>
>
> Then, no.  You didn't. That's why commenting out the rules is not working.
>
>
>
> J
>
> On Thu, Sep 23, 2010 at 12:02 PM, Greg Lane <greglane () laneconstinc com>
> wrote:
> > Here is the command that was used to install Snort
> >
> > Open a command prompt and issue the following commands from the directory
> > where you downloaded the Snort
> > source code:
> > sudo tar zxvf snort2.8.6.tar.gz
> > cd snort2.8.6
> > sudo ./configure prefix=/usr/local/snort
> > sudo make
> > sudo make install
> > sudo mkdir /var/log/snort
> > sudo groupadd snort
> > sudo useradd g
> > snort snort
> > sudo chown snort:snort /var/log/snort
> >
> > Greg Lane
> > IT Manager
> > Lane Enterprises
> >
> > Email:  greglane () laneconstinc com
> > Phone: (228)872-2414
> >
> >
> > -----Original Message-----
> > From: Joel Esler [mailto:jesler () sourcefire com]
> > Sent: Thursday, September 23, 2010 10:53 AM
> > To: Greg Lane
> > Cc: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] Snort Configurations
> >
> > Did you compile Snort with the following tag:
> >
> > --enable-decoder-preprocessor-rules
> >
> > ?
> >
> > On Thu, Sep 23, 2010 at 11:01 AM, Greg Lane <greglane () laneconstinc com>
> > wrote:
> > > How would I know if I'm not using preprocessor rules?  I wouldn't be
> > getting
> > > the alert if I wasn't or am I wrong in assuming that? I’m looking at my
> > > snort.conf file and the path to preprocessor rules is correct but I also
> > > found in step 8 looked like this
> > >
> > > # decoder and preprocessor event rules
> > > # include $PREPROC_RULE_PATH/preprocessor.rules
> > > # include $PREPROC_RULE_PATH/decoder.rules
> > > # include $PREPROC_RULE_PATH/sensitive-data.rules
> > >
> > > I then uncommented preprocessor.rules var and it still is giving me the
> > > alert.  I'm sorry if I'm a nuisance but I'm learning this all at once
> and
> > it
> > > seems that it should be not alerting at this point and trying to figure
> > out
> > > why.
> > >
> > > Greg Lane
> > > IT Manager
> > > Lane Enterprises
> > >
> > > Email:  greglane () laneconstinc com
> > > Phone: (228)872-2414
> > >
> > >
> > > -----Original Message-----
> > > From: Joel Esler [mailto:jesler () sourcefire com]
> > > Sent: Thursday, September 23, 2010 9:51 AM
> > > To: Greg Lane
> > > Subject: Re: [Snort-users] Snort Configurations
> > >
> > > Then you must not be using the preprocessor rules or something.  It
> > > depends on your compile.
> > >
> > > Go with the suppressions, they'll kill it either way.
> > >
> > > J
> > >
> > > On Thu, Sep 23, 2010 at 10:49 AM, Greg Lane <greglane () laneconstinc com>
> > > wrote:
> > > > I did twice.  I killed both the snort and barnyard2 processes and
> started
> > > > them again in the terminal and read barnyard2's output and the rule I
> > > > commented out in the preprocessor.rules file is still there.  In fact I
> > > > commented out all the http rules in the preprocessor.rules file and
> still
> > > > getting the alerts.  I looked in the gen-msg file and wonder if I
> should
> > > > comment those out also but they shouldn't even be getting to that point
> > if
> > > > my logic is correct because the rule shouldn't be alerting.
> > > >
> > > > Greg Lane
> > > > IT Manager
> > > > Lane Enterprises
> > > >
> > > > Email:  greglane () laneconstinc com
> > > > Phone: (228)872-2414
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Joel Esler [mailto:jesler () sourcefire com]
> > > > Sent: Thursday, September 23, 2010 9:45 AM
> > > > To: Greg Lane
> > > > Cc: Alex Tatistcheff; snort-users () lists sourceforge net
> > > > Subject: Re: [Snort-users] Snort Configurations
> > > >
> > > > "Or you can suppress the output in threshold.conf with something like:
> > > > suppress gen_id 119, sig_id 13"
> > > >
> > > >
> > > > Make sure you restart Snort after the changes.
> > > >
> > > > J
> > > >
> > > > On Thu, Sep 23, 2010 at 10:22 AM, Greg Lane <greglane () laneconstinc com
> >
> > > > wrote:
> > > > > I’m commenting out the rules in the preprocessor.rules file and I’m
> > still
> > > > > getting the alert.  Gen_id 119  sid 19 long header.  Why is it still
> > > > > alerting?
> > > > >
> > > > >
> > > > >
> > > > > Greg Lane
> > > > >
> > > > > IT Manager
> > > > >
> > > > > Lane Enterprises
> > > > >
> > > > >
> > > > >
> > > > > Email:  greglane () laneconstinc com
> > > > >
> > > > > Phone: (228)872-2414
> > > > >
> > > > >
> > > > >
> > > > > From: alex.tatistcheff () gmail com [mailto:alex.tatistcheff () gmail com]
> On
> > > > > Behalf Of Alex Tatistcheff
> > > > > Sent: Wednesday, September 22, 2010 9:46 PM
> > > > > To: Greg Lane
> > > > > Cc: wkitty42 () windstream net; snort-users () lists sourceforge net
> > > > >
> > > > > Subject: Re: [Snort-users] Snort Configurations
> > > > >
> > > > >
> > > > >
> > > > > You can suppress the alerting and not affect the normalization (the
> > > > > important part) of the http_inspect preprocessor by commenting out the
> > > > rules
> > > > > in the preprocessor.rules file.
> > > > >
> > > > > Or you can suppress the output in threshold.conf with something like:
> > > > > suppress gen_id 119, sig_id 13
> > > > >
> > > > > The first option is what I would recommend.
> > > > >
> > > > > Alex Tatistcheff
> > > > > alext () pobox com
> > > > >
> > > > > The most terrifying words in the English language are, "I'm from the
> > > > > government and I'm here to help." -Ronald Reagan
> > > > >
> > > > > On Wed, Sep 22, 2010 at 1:01 PM, Greg Lane <greglane () laneconstinc com
> >
> > > > > wrote:
> > > > >
> > > > > Well there are 3 types of http_inspects that I am getting mainly.
> > > > >  http_inspect: LONG HEADER, http_inspect: NON-RFC DEFINED CHAR,
> > > > > http_inspect: OVERSIZE REQUEST-URI DIRECTORY.
> > > > > Everyone of the sources are from inside my network.  Many of them are
> to
> > > > > amazon EC, quantserve.com(cookie related), yahoo, google, facebook,
> and
> > > > > Pandora.  So you can see that most of the traffic is legit and it
> isn't
> > > > > being triggered from outside the domain.  I'm just not sure how to cut
> > > > down
> > > > > on the number of alerts.  When I get that done I will move on to the
> > next
> > > > > but I am trying to do this in steps so that I can understand
> everything
> > > > that
> > > > > is going on
> > > > >
> > > > > Greg Lane
> > > > > IT Manager
> > > > > Lane Enterprises
> > > > >
> > > > > Email:  greglane () laneconstinc com
> > > > > Phone: (228)872-2414
> > > > >
> > > > > -----Original Message-----
> > > > > From: waldo kitty [mailto:wkitty42 () windstream net]
> > > > > Sent: Wednesday, September 22, 2010 1:21 PM
> > > > > To: snort-users () lists sourceforge net
> > > > > Subject: Re: [Snort-users] Snort Configurations
> > > > >
> > > > > On 9/22/2010 12:39, Greg Lane wrote:
> > > > > > I’m starting to learn how to tune my Snort install and it is a slow
> > > > > > process.  I
> > > > > > have alerts like crazy because I know it needs to be tuned and I
> > > > > > especially have
> > > > > > a lot of http_inspect alerts coming up. I’ve been reading and from
> what
> > > I
> > > > > > can
> > > > > > gather if you don’t have a websever you may not really need this in
> > > > > > operation or
> > > > > > am I wrong?
> > > > >
> > > > > the answer is "it depends"... it depends on if you want to monitor
> > > > outbound
> > > > > http
> > > > > traffic to possibly catch infestations on your network that are
> > reporting
> > > > in
> > > > > or
> > > > > attacking remote http servers... you might also catch (and be able to
> > > > > prevent)
> > > > > internal machines that are being redirected to driveby sites that
> would
> > > > > (attempt
> > > > > to) load them with infestation materials...
> > > > >
> > > > > > If I am wrong then what is the best possible solution for me to cut
> > > > > > down most of the alerts which are false positives so to speak or
> aren’t
> > > > > > dangerous at all? This will probably be one of many questions
> > concerning
> > > > > > configs
> > > > > > coming to an email box near you.
> > > > >
> > > > > false positives need to be reported to those who write those rules so
> > > they
> > > > > can
> > > > > be looked into and adjusted if necessary...
> ----------------------------------------------------------------------------
> > > > --
> > > > > Start uncovering the many advantages of virtual appliances
> > > > > and start using them to simplify application deployment and
> > > > > accelerate your shift to cloud computing.
> > > > > http://p.sf.net/sfu/novell-sfdev2dev
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> ----------------------------------------------------------------------------
> > > > --
> > > > > Start uncovering the many advantages of virtual appliances
> > > > > and start using them to simplify application deployment and
> > > > > accelerate your shift to cloud computing.
> > > > > http://p.sf.net/sfu/novell-sfdev2dev
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> ----------------------------------------------------------------------------
> > > > --
> > > > > Nokia and AT&T present the 2010 Calling All Innovators-North America
> > > > contest
> > > > > Create new apps & games for the Nokia N8 for consumers in  U.S. and
> > > Canada
> > > > > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
> > > > marketing
> > > > > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi
> Store
> > > > > http://p.sf.net/sfu/nokia-dev2dev
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users