Re: Help with noisy alerts for known application

[Daniel Shepherd <shepdelacreme () gmail com>]

You need to use "and" for that filter to work...with the "or" if it's
any port except the first in the list then it will pass the filter.

On Apr 10, 2011, at 10:31 PM, Geoff Sweet <geoff.sweet () wemadeusa com> wrote:

> So I added a filter that blocked out our game ports.  I can see in the process list that snort is running with the -F 
> option and I know it's loading the file since I put a little error in the bpf file and it errored out on it.  The 
> filter that I put is:
>
> not port 15779 or not port 7000 or not port 7100 or not port 7101 or not port 7200 or not port 7201 or not port 7202 
> or not port 7203 or not port 7204 or not port 7205
>
> Seems pretty simple and straight forward.  But still I see TONS of alerts on these ports as "(portscan) Open Port".  
> I don't get it.
>
> Help?
>
> -Geoff
>
> From: Joel Esler [mailto:jesler () sourcefire com]
> Sent: Friday, April 08, 2011 12:05 PM
> To: Geoff Sweet
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Help with noisy alerts for known application
>
> I would try a bpf statement instead ignoring those ports.  The pass rules will make the rules engine not process 
> traffic.  But the portscan preprocessor is further up the Snort stack, so pass rules don't cover those.
>
> Check out a bpf.
>
> Joel
> On Fri, Apr 8, 2011 at 2:26 PM, Geoff Sweet <geoff.sweet () wemadeusa com> wrote:
> When we first implemented Snort we found that we were generating tons of alerts from our games. That was to be 
> expected and so we started digging in to try to quiet down the alerts.  The very first thing that we trimmed was the 
> "COMMUNITY SIP TCP/IP message flooding directed to SIP proxy" alert that was thrown for basically every single 
> connection to our game.  A bit of reading in the old snort forum said that getting rid of that rule was ok so I 
> commented it out of the rule file.  So after a bit of reading online I came up with two rule files that describe our 
> two primary games, and from the reading set them to "pass" so that Snort would recognize the traffic and quietly pass 
> it.  The rules look like this:
>
> /etc/snort/rules$ cat wemade-mir3.rules
> pass tcp $EXTERNAL_NET any -> any 7000 (msg:"MIR3 Application";)
> pass udp $EXTERNAL_NET any -> any 7000 (msg:"MIR3 Application";)
> pass tcp $EXTERNAL_NET any -> any 7100 (msg:"MIR3 Application";)
> pass udp $EXTERNAL_NET any -> any 7100 (msg:"MIR3 Application";)
> pass tcp $EXTERNAL_NET any -> any 7101 (msg:"MIR3 Application";)
> pass udp $EXTERNAL_NET any -> any 7101 (msg:"MIR3 Application";)
> pass tcp $EXTERNAL_NET any -> any 7200 (msg:"MIR3 Application";)
> pass tcp $EXTERNAL_NET any -> any 7201 (msg:"MIR3 Application";)
> pass tcp $EXTERNAL_NET any -> any 7202 (msg:"MIR3 Application";)
> pass tcp $EXTERNAL_NET any -> any 7203 (msg:"MIR3 Application";)
> pass tcp $EXTERNAL_NET any -> any 7204 (msg:"MIR3 Application";)
> pass tcp $EXTERNAL_NET any -> any 7205 (msg:"MIR3 Application";)
> pass udp $EXTERNAL_NET any -> any 7200 (msg:"MIR3 Application";)
> pass udp $EXTERNAL_NET any -> any 7201 (msg:"MIR3 Application";)
> pass udp $EXTERNAL_NET any -> any 7202 (msg:"MIR3 Application";)
> pass udp $EXTERNAL_NET any -> any 7203 (msg:"MIR3 Application";)
> pass udp $EXTERNAL_NET any -> any 7204 (msg:"MIR3 Application";)
> pass udp $EXTERNAL_NET any -> any 7205 (msg:"MIR3 Application";)
>
> /etc/snort/rules$ cat joymax-silkroads.rules
> pass tcp $EXTERNAL_NET any -> any 15779 (msg:"Silkroads Online";)
> pass tcp $EXTERNAL_NET any -> any 12989 (msg:"Silkroads Online";)
> pass tcp $EXTERNAL_NET any -> any 15021 (msg:"Silkroads Online";)
> pass tcp $EXTERNAL_NET any -> any 15020 (msg:"Silkroads Online";)
>
> The problem at this point is that every connection to the games generates a portscan alert.  I have over 220K of them 
> in a 12 hour period.  I was under the assumption from the documentation that by creating this rule with the specific 
> ports listed and the action as "pass" that snort wouldn't raise an alert.  Am I doing something wrong with this rule? 
>  All the alerts are marked with the signature "(portscan) Open Port: [whatever game port from above]" and links to 
> http://www.snortid.com/snortid.asp?QueryId=122-27
>
> Any help would be greatly appreciated.
>
> -Geoff
>
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --
> Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net
> Twitter:  http://twitter.com/snort
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users