Snort mailing list archives
Re: snort not alerting on same ip ssh attack after restart
From: John Devine <john.devine () nuspire com>
Date: Fri, 8 Apr 2016 19:47:48 +0000
For some reason I did not receive this reply in my Inbox I just happened to be browsing the archives for answers and found a reply to my email I just sent so I am copying the response here. I will answer those 5 questions what IPs are you testing from? 10.31.30.105; 10.31.30.106; 10.31.30.107 which one works and which does not? every IP I have tried works but only once. I could be firing the mock ssh 'attack' from any IP and it will alert properly but only once every 12 hours or so, not sure about the exact time limit. To clarify on the rules: I am using all the 'emerging' rules. Here is one line from my config: (include $RULE_PATH/emerging-misc.rules) what is the IP of your snort box? 10.31.40.20 what are your HOME_NET and EXTERNAL_NET values? var HOME_NET [10.31.2.78,10.31.2.79,172.17.0.0/24,192.168.11.0/24,192.168.50.15,127.0.0.1] var EXTERNAL_NET !$HOME_NET My hunch is that there is a specification in some specific rule which is overriding any global filter I have in place causing the alerts to stop firing after one attack. Unfortunately, modifying that specific rule is not an option for me as I update the rules automatically and don't customize any of them so that would not be a long term fix. I foudn the rule in question in emerging-scan.rules: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:19;) as you can see, it is 5 attempts in 2 minutes. That generates this alert from snort: [**] [1:2001219:19] ET SCAN Potential SSH Scan [**] [Classification: Attempted Information Leak] [Priority: 2] 04/07-17:52:05.665590 10.31.30.105:50682 -> 10.31.40.20:22 TCP TTL:63 TOS:0x0 ID:60881 IpLen:20 DgmLen:60 DF ******S* Seq: 0xD2D2B099 Ack: 0x0 Win: 0x7210 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 4873544 0 NOP WS: 7 [Xref => http://doc.emergingthreats.net/2001219][Xref => (removed hyperlink)] This still does not explain where the time limit is coming from. I cannot get snort to generate this same alert again for several hours. On 04/08/2016 02:06 PM, John Devine wrote:
Hi all, I am testing alerts on snort 2.9.2.2 on a box running debian by using a mock ssh attack to trigger one of snort's default rules. The rule is generated after 5
i'm not aware of snort having any "default rules"... at least not by that type of naming... which rule are you talking about?
ssh attempts are made within 60 seconds. I am using snort as-is; I have created no custom rules. I can reproduce this about once a day but after a reboot of the box or restart of snort it will not generate an alert after using the same mock ssh attack even when I 'attack' it from a different IP. My guess is that there
what IPs are you testing from? which one works and which does not? what is the IP of your snort box? what are your HOME_NET and EXTERNAL_NET values?
is some default local event filter for a specific rule that prevents the alert from generating again within a certain timeframe. I tried creating a global event filter (event_filter gen_id 0, sig_id 0, type both, track by_src, count -1, seconds 1) in the hope of circumventing all time limits and thresholds that could be preventing snort from alerting. Is there a way to disable any default filters that are preventing snort from generating multiples of the same alerts?
no... not without rewriting the rule... in your case, it would basically mean copying that rule to your local.rules file, modifying it as needed, making sure to change the SID number (very important) and commenting out the original rule in the original .rules file...
If that is even the problem. Essentially, I want snort to be able to generate the same alert every time it happens which is currently does not.
post your answers to the above five questions to the list and let's see what we can do :) -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted.
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort not alerting on same ip ssh attack after restart John Devine (Apr 08)
- Re: snort not alerting on same ip ssh attack after restart wkitty42 (Apr 08)
- <Possible follow-ups>
- Re: snort not alerting on same ip ssh attack after restart John Devine (Apr 08)
- Re: snort not alerting on same ip ssh attack after restart John Devine (Apr 08)
- Re: snort not alerting on same ip ssh attack after restart wkitty42 (Apr 08)