Snort mailing list archives
Re: A couple of design comments/questions
From: twig les <twigles () yahoo com>
Date: Sun, 2 Feb 2003 17:07:38 -0800 (PST)
You raise some good points. Maybe running a second instance of snort with a different HOME_NET/EXTERNAL_NET would mitigate the problem. I agree though, sometimes (many times) it is really important to see what is leaving your network. Personally we use layer-2 isolation between our internal boxes and we don't let our DMZ boxen initiate connections out unless they have a legit reason to (DNS...). --- Jason Haar <Jason.Haar () trimble co nz> wrote:
Just some thoughts to start off the week: I'm running snort probably like most others; I define the internal address-space, then define EXTERNAL as everything else. Most rules work 'round that assumption: the rules search for matches from external addresses hammering at internal addresses. I *assume* the main reasons for that is to allow management to see how necessary information security infrastructure is (ahem), ...and to cut down on false positives? [I ran snort for some time with both internal and external being defined as "any" - to see the differences, and the biggest issue I found was the *huge* increase in false positives, effectively making it impossible to use live that way] IMHO,a problem with this approach is that you end up looking for events that are actually less important than their reverse. I'd say in most peoples' eyes, seeing an incoming CodeRed event is less important than an outgoing, but other than doubling every rule (one for incoming, one for outgoing), I can't see any clean way of doing this. A good example is the current MS-SQL Sapphire worm - like most sites we are "by default" immune to it as our perimeter firewall doesn't allow incoming connections on non-desired ports - so the current alert of: alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;) ...is of no use to us - except to prove that our firewall is working ;-) What would be more useful is probably a new rule option, something like "also_on_reverse:successful-admin". Such an option could do the same job as reversing the network ranges (i.e. from "$EXTERNAL_NET any -> $HOME_NET 1434" to "$HOME_NET any -> $EXTERNAL_NET 1434"), and changes the classtype to successful-admin. Does that sound too insane? Simply making more of the alerts "any any" doesn't really help, as they would appear under the same classtype - when they are actually more urgent. In fact, this does bring up another question: the usefulness of the current "classtype" option. One thing I'm really missing from snort is the ability to trigger alerts on some cleanly-defined situations - such as noticing that a LAN box is attempting to upload CodeRed/Sapphire onto a remote box. Currently if I look at our Snort alerts DB, I see tonnes of priority 1 events - but they're all things like incoming CodeRed - of no consequence. Currently I rely on writing good swatch triggers so that I only trigger email alerts when snort sees a LAN to Internet event, but given the existing fine-grain classifications within snort, I venture this really is a snort issue, and not an post-filtering issue. Shouldn't snort look at classifying "you've been compromised" as higher than "they've been compromised"? Perhaps a priority 0 would be easiest? :-) Anyway, just some thoughts... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------------------------------------------------
This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A couple of design comments/questions Jason Haar (Feb 02)
- Re: A couple of design comments/questions twig les (Feb 02)
- Re: A couple of design comments/questions Frank Knobbe (Feb 02)