Snort mailing list archives
Re: newbq: snort working, getting hits, got sig id's. What now?
From: Tony Robinson <deusexmachina667 () gmail com>
Date: Fri, 30 Nov 2012 23:31:09 -0500
Have to agree with these folks. This is what analysts get paid to do; look at signatures, correlate the source and the destination, and make determinations based off of rule documentation and baselines of what is considered "normal" activity for the source or destination system(s) in question. A good portion of the time, and this is especially true of the vrt rules, the rule metadata will have urls and links to articles explicitly stating what it is the rule is attempting to detect, what software version of X software it affects and most of the time, what patch fixes the issue. you determine if you are running the software and software version in question, whether or not the vulnerability has been patched and you go from there. (yes... I know I'm oversimplifying this greatly.. don't hurt me.) you did the easy part in setting up your IDS, the hard part is making determinations based on what you know. some things to make it easier: if the rule is a vrt rule, the file opensource.gz on snort.org, while massive. has documentation on a boatload of rules they have released. additionally the rule search on snort.org can give you good information as well: http://www.snort.org/search finally, there was a video that was posted some time ago where Joel did a presentation on doing exactly what it is you're trying to do... damned if I can find it though :\... hopefully someone else has it? regards, DA On Fri, Nov 30, 2012 at 1:09 PM, John York <YorkJ () brcc edu> wrote:
A quick way is to grep your rules file to see what the rule says. Something like**** grep “2012649” snort.rules**** ** ** *From:* Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] *Sent:* Friday, November 30, 2012 12:34 PM *To:* Thomison, Lee; 'snort-users () lists sourceforge net' *Subject:* Re: [Snort-users] newbq: snort working, getting hits, got sig id's. What now?**** ** ** In the rule itself there are sometimes urls that link to more information. BASE at least, displays these. There is also a Snort page where you can look up information on a rule at www.snort.org, but not all rules have useful information. After that, you can look at the rule itself-what is it looking for? Then you get into the nitty-gritty of trying to figure out if this is legitimate or not, which means understanding (or talking to people in your company) about what these systems are doing, what’s “normal”, etc... There’s no magic documentation for that unfortunately.**** ** ** ** ** *From:* Thomison, Lee [mailto:ThomisonL () muni org <ThomisonL () muni org>] *Sent:* Thursday, November 29, 2012 3:30 PM *To:* 'snort-users () lists sourceforge net' *Subject:* [Snort-users] newbq: snort working, getting hits, got sig id's. What now?**** ** ** Pardon the newbie question, but…**** ** ** I’ve got snort up and running (via security onion 12.04), got latest vrt rules, etc. Let it run overnight and now I’ve got hits (surprise, surprise). I’ve got sig id’s for the first couple of high event count hits I want to look at, but what now? Where do I go next or what do I do next to decide whether I have a problem or not?**** ** ** Here’s the two sigs I want to use as trainers for myself:**** ** ** SIG ID**** ** ** 2102649 GPL SQL service_name buffer overflow attempt**** 2102650 GPL SQL user name buffer overflow attempt**** ** ** Where do I go to get more information on a sig id?**** ** ** Now, in this case, the source ip is an old control systems box sending data to a couple of oracle databases. The source and dest IP’s correspond with the ‘right’ boxes. So I suspect that this is simply a result of the vendor or oracle (or both) being sloppy. But how do I confirm (or not) ?* *** ** ** FWIW googling showed lots of info on how to write rules, but nothing on what to do after a hit.**** ** ** Thanks!**** ** ** ** ** ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: TUNE You got it built. Now make it sing. Tune shows you how. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- when does reality end? when does fantasy begin?
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: INSIGHTS What's next for parallel hardware, programming and related areas? Interviews and blogs by thought leaders keep you ahead of the curve. http://goparallel.sourceforge.net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- newbq: snort working, getting hits, got sig id's. What now? Thomison, Lee (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Jefferson, Shawn (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? John York (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Tony Robinson (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? waldo kitty (Dec 01)
- Re: newbq: snort working, getting hits, got sig id's. What now? John York (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Jefferson, Shawn (Nov 30)
- Re: newbq: snort working, getting hits, got sig id's. What now? Y M (Dec 02)
- Re: newbq: snort working, getting hits, got sig id's. What now? Giles Coochey (Dec 04)