Re: Snort against DARPA Dataset

[Sravan Bhamidipati <bsravanin () gmail com>]

On Thu, Jul 5, 2012 at 12:06 PM, Sunny Fugate <fugate () unm edu> wrote:

> This is normal....most rules are defined with $HOME_NET as the destination
> for exactly the reason you gave (attacks being incoming traffic).  A single
> detection rule has a header:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any
I too have noticed this.


The arrow literally defines source -> destination. Most rules define
> $HOME_NET as the destination.   While there are rules for exfiltration,
> they represent a a smaller number compared to those for active attacks
> (i.e. prior to actual compromise).   It may also be that the DARPA dataset
> doesn't have a large number of exfiltration attacks.
Does or doesn't? Because 80% of the labeled attacks correspond to
*outgoing*traffic. In that case, does it make sense to filter out all
the labels with
outgoing traffic (and the traffic itself from the PCAPs)?


How did you generate your list of HOME_NET IP addresses for the DARPA
> dataset?  To get things working as you expect, the network structure of the
> original test-setup (available on the same website as the datasets) will
> probably need to be included in IP list.  I'm not sure which of the
> datasets you are using, but one of their network diagrams lists anything in
> the IP range for 172.16.0.0/16 as being "inside".
They gave the full list of the network used:
http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/docs/hosts_1998.html.
I use the IPs in "Routers & Hubs" and "Inside Hosts", and their
corresponding OSs for frag3/stream5 configuration.


Cheers,
> Sunny
>
> On Jul 5, 2012, at 9:12 AM, Sravan Bhamidipati wrote:
>
> > From: Sunny Fugate <fugate () unm edu>
> > To: snort-users () lists sourceforge net
> > Cc:
> > Date: Mon, 2 Jul 2012 11:42:04 -0600
> > Subject: Re: [Snort-users] Snort against DARPA Dataset
> > Regarding your detection rates, check that you have signatures for the
> unidentified traffic.  Is it 30% of labelled attacks for which you have
> signatures, or 30% of the labelled attacks don't have signatures in Snort?
> > Only 30% of the labelled attacks have signatures in Snort.
> >
> >
> >   As Robert pointed out, many of the old DARPA attacks may not be
> handled by current detection rules or current preprocessors.  It may also
> be that you might need to change/refine configuration of various
> specialized pre-processors. Some immediate things to check might be
> port-lists for various preprocessors which might prevent certain
> preprocessors and/or rules from being applied if traffic is not on an
> expected port.   You'll need to examine your missed attacks, see if these
> are handled at all by Snort and by which preprocessor and whether the
> preprocessor is configured such that it would detect them.
> > Thank you, Sunny. I had thought of examining the missed attacks, but it
> somehow slipped my mind. I did what you suggested.
> > In my Snort config, I have a list of IP addresses defined as HOME_NET.
> Of the alerts generated by Snort roughly 90% have these IP addresses as the
> destinations, 5% have these IP addresses as sources (but not destinations).
> Is this expected behavior? Is Snort "less concerned" about outgoing
> packets? Is there a way to change that behavior, or is that against the
> norms of an IDS?
> > This could be a major cause of the low detection rates I am getting,
> because 80% of the labelled attacks have a destination that is not part of
> HOME_NET.
> > This is counter-intuitive to my understanding. I had been of the opinion
> that an "intrusion" means HOME_NET is the destination, and "exfiltration"
> (or whatever happens after a system is compromised) has HOME_NET as the
> source.
> > From: waldo kitty <wkitty42 () windstream net>
> > To: snort-users () lists sourceforge net
> > Cc:
> > Date: Tue, 03 Jul 2012 01:25:25 -0400
> > Subject: Re: [Snort-users] Snort against DARPA Dataset
> > On 7/2/2012 10:21, Sravan Bhamidipati wrote:
> > Are there any recommended portscan detection tools that can play tcpdump
> files?
> > I have tried scanlogd and psad, and didn't find the option.
> > what's wrong with wireshark or similar? (other than maybe being
> winwhatever based??)
> > Sorry,  Waldo. I couldn't figure out how to detect portscans using
> Wireshark.
> > However, I looked at the counts of (Source IP, Destination IP) ordered
> pairs in the list of labelled attacks, and found that about 60% of them
> correspond to just 3 such ordered pairs. My guess is that these are some
> kind of DoS attacks. (The source IP is sending packets to the destination
> IP using 65536 x 1024 combinations of source and destination port numbers.)
> None of these generated Snort alerts. Does Snort have a problem detecting
> DoS attacks or could I be missing some important setting in snort.conf?
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!