Re: Ignoring Backups - TCP Stateful?

[Doug Burks <doug.burks () gmail com>]

Replies inline.

On Wed, Dec 3, 2014 at 7:12 PM, Colony.Three <Colony.Three () protonmail ch> wrote:
> > > # Backups
> > > not(tcp src host 192.168.1.4 and (tcp src port 8027))
> > >
> > > I think this should not log packets -from- the backups machine (.4)
> > > requesting the backup, but what about the responses? These will likely
> > > come
> > > back on different src and dst ports which there is no way of predicting.
> > > If
> > > packet capture for tcp is stateful, I should be OK. But somehow I doubt
> > > the
> > > various SecurityOnion apps assemble tcp packet streams statefully,
> > > real-time. I can see how to assemble them later for analysis, but not
> > > real-time.
> > >
> > > Is there a recommended way to -not- save backup packets to disk in this
> > > situation?
>
> > Have you seen the BPF page on our Wiki?
> > https://code.google.com/p/security-onion/wiki/BPF
> >
> > There are some good examples there and also some good links on how to
> troubleshoot BPF using tcpdump.
>
> Sure, that was one of the first docs I read when setting up for Ignore of
> backups.
>
> But nothing addresses this issue of Ignoring whole TCP stateful sessions.
> It stands to reason that packet capture will collect anything not
> specifically Ignored, and there is no way to predict what src/dest ports
> that responses to the rsync command will come back on.
>
> I was hoping that someone had succeeded in excluding backups before, and had
> come up with a solution, as it is such an unnecessary waste of packet
> capture space.
>
> As SecurityOnion runs in a vbox VM, it's not practical to shut down the
> whole thing when it's time for (automatic) backups instigated by the backups
> server. (a whole 'nother machine)  Would I have to murder the VM with a cron
> job, and then restart it manually?  I don't like the idea of my IDS being
> down all Sunday.

No, I wouldn't recommend shutting your IDS down for a day either :)

Instead, simply write a cron job that would fire at the beginning of
your backup window that would put the BPF in place and restart the
appropriate services on the Security Onion VM (snort, netsniff-ng,
etc.).  Then write a second cron job that would fire at the end of
your backup window to remove the BPF and restart the appropriate
services.

> In my case, the backups server calls rsync to backup the LAN machines
> (concurrently).  The rsync daemon is not used anywhere.

Can you provide more information about what the actual traffic flows
look like?  Perhaps some example traffic flows?

Would it help to simplify the BPF by removing "src"?  So something like this?

not(tcp host 192.168.1.4 and tcp port 8027)



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!