Snort mailing list archives
Re: Snort against DARPA Dataset
From: Sravan Bhamidipati <bsravanin () gmail com>
Date: Thu, 5 Jul 2012 12:11:32 -0400
On Thu, Jul 5, 2012 at 12:06 PM, Sunny Fugate <fugate () unm edu> wrote:
This is normal....most rules are defined with $HOME_NET as the destination for exactly the reason you gave (attacks being incoming traffic). A single detection rule has a header: alert tcp $EXTERNAL_NET any -> $HOME_NET any
I too have noticed this. The arrow literally defines source -> destination. Most rules define
$HOME_NET as the destination. While there are rules for exfiltration, they represent a a smaller number compared to those for active attacks (i.e. prior to actual compromise). It may also be that the DARPA dataset doesn't have a large number of exfiltration attacks.
Does or doesn't? Because 80% of the labeled attacks correspond to *outgoing*traffic. In that case, does it make sense to filter out all the labels with outgoing traffic (and the traffic itself from the PCAPs)? How did you generate your list of HOME_NET IP addresses for the DARPA
dataset? To get things working as you expect, the network structure of the original test-setup (available on the same website as the datasets) will probably need to be included in IP list. I'm not sure which of the datasets you are using, but one of their network diagrams lists anything in the IP range for 172.16.0.0/16 as being "inside".
They gave the full list of the network used: http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/docs/hosts_1998.html. I use the IPs in "Routers & Hubs" and "Inside Hosts", and their corresponding OSs for frag3/stream5 configuration. Cheers,
Sunny On Jul 5, 2012, at 9:12 AM, Sravan Bhamidipati wrote:From: Sunny Fugate <fugate () unm edu> To: snort-users () lists sourceforge net Cc: Date: Mon, 2 Jul 2012 11:42:04 -0600 Subject: Re: [Snort-users] Snort against DARPA Dataset Regarding your detection rates, check that you have signatures for theunidentified traffic. Is it 30% of labelled attacks for which you have signatures, or 30% of the labelled attacks don't have signatures in Snort?Only 30% of the labelled attacks have signatures in Snort. As Robert pointed out, many of the old DARPA attacks may not behandled by current detection rules or current preprocessors. It may also be that you might need to change/refine configuration of various specialized pre-processors. Some immediate things to check might be port-lists for various preprocessors which might prevent certain preprocessors and/or rules from being applied if traffic is not on an expected port. You'll need to examine your missed attacks, see if these are handled at all by Snort and by which preprocessor and whether the preprocessor is configured such that it would detect them.Thank you, Sunny. I had thought of examining the missed attacks, but itsomehow slipped my mind. I did what you suggested.In my Snort config, I have a list of IP addresses defined as HOME_NET.Of the alerts generated by Snort roughly 90% have these IP addresses as the destinations, 5% have these IP addresses as sources (but not destinations). Is this expected behavior? Is Snort "less concerned" about outgoing packets? Is there a way to change that behavior, or is that against the norms of an IDS?This could be a major cause of the low detection rates I am getting,because 80% of the labelled attacks have a destination that is not part of HOME_NET.This is counter-intuitive to my understanding. I had been of the opinionthat an "intrusion" means HOME_NET is the destination, and "exfiltration" (or whatever happens after a system is compromised) has HOME_NET as the source.From: waldo kitty <wkitty42 () windstream net> To: snort-users () lists sourceforge net Cc: Date: Tue, 03 Jul 2012 01:25:25 -0400 Subject: Re: [Snort-users] Snort against DARPA Dataset On 7/2/2012 10:21, Sravan Bhamidipati wrote: Are there any recommended portscan detection tools that can play tcpdumpfiles?I have tried scanlogd and psad, and didn't find the option. what's wrong with wireshark or similar? (other than maybe beingwinwhatever based??)Sorry, Waldo. I couldn't figure out how to detect portscans usingWireshark.However, I looked at the counts of (Source IP, Destination IP) orderedpairs in the list of labelled attacks, and found that about 60% of them correspond to just 3 such ordered pairs. My guess is that these are some kind of DoS attacks. (The source IP is sending packets to the destination IP using 65536 x 1024 combinations of source and destination port numbers.) None of these generated Snort alerts. Does Snort have a problem detecting DoS attacks or could I be missing some important setting in snort.conf?------------------------------------------------------------------------------Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats.http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 02)
- Re: Snort against DARPA Dataset Sunny Fugate (Jul 02)
- Re: Snort against DARPA Dataset waldo kitty (Jul 02)
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 05)
- Re: Snort against DARPA Dataset Sunny Fugate (Jul 05)
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 05)
- Re: Snort against DARPA Dataset Patrick Mullen (Jul 05)
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 05)
- Re: Snort against DARPA Dataset Sunny Fugate (Jul 05)
- <Possible follow-ups>
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 13)
- Re: Snort against DARPA Dataset waldo kitty (Jul 14)
- Re: Snort against DARPA Dataset Joel Esler (Jul 14)
- Re: Snort against DARPA Dataset waldo kitty (Jul 16)
- Re: Snort against DARPA Dataset waldo kitty (Jul 14)