RE: how to handle this problem

["Corey Rock" <snort_sigs () hotmail com>]

Hi Derk!

what I meant about ntop was you could attempt to correlate a high number of 
alerts found in snort to any data you might have from ntop.

For instance, if you saw a large number of tcp alerts for a given host in 
snort, you could look at ntop stats and see if the same host seemed to be 
sending an inordinate amount of tcp traffic.  Indeed, this is cludgy, but it 
may get you one step closer in determining if the snort alert is real or 
not.

Here is a great diagram that gives an overview of potential sensor 
placement:

http://www.snort.org/docs/scott_c_sanchez_cissp-ids-zone-theory-diagram.pdf

as far as tuning rules goes, it depends entirely on a lot of variables, and 
thus, I don't know of a great doc that might help determine how to tune your 
rulebase.

But using the diagram above as a guide, let's say you were able to deploy 4 
sensors.  Each would be on a different network segment.

1----internal LAN
2---behind Firewall (gating internet access)
3---on DMZ
4---on admin net

now, each sensor would have a different rulebase, specific only to the 
hosts, OS's, and apps that are expected to be seen on each network.  This 
would be a good starting point.

Yet, if you get an alert, you'd still need to examine the actual 
traffic---the packets---because it is easy to get a false positive on 
something such as a user pulling a snort acid report over an http 
connection-----this might trigger a potential "shell code exploit" or 
"web-traversal" alert simply based on the content of those packets...but 
they woudn't actually be an attempted shell exploit....they were rules just 
triggering on the criteria found in the packet.

make sense?

Corey


> From: "derk van de Velde" <derk () pcvisie nl>
> To: "Corey Rock" 
> <snort_sigs () hotmail com>,<snort-users () lists sourceforge net>
> Subject: RE: [Snort-users] how to handle this problem
> Date: Fri, 21 May 2004 09:47:02 +0200
>
> hi,
>
> i already use the ntop product, its great.
> what do you mean by working with alerts in ntop?
> and the "good place for sensors"
> is there doc how to finetune rules?
> i'll checkout the comercial product.
>
> regards,
> derk
>
>
>
> -----Oorspronkelijk bericht-----
> Van: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net]Namens Corey Rock
> Verzonden: donderdag 20 mei 2004 18:21
> Aan: snort-users () lists sourceforge net
> Onderwerp: RE: [Snort-users] how to handle this problem
>
>
> Greetings!
>
> The first most important thing you need to do is tune your rulebase to your
> environment.
>
> Not only will this make snort much more efficient, but it will reduce all
> the potential 'noise' or 'false positives' you might see with the default
> rule set (which is very broad, and covers a very general concept of hosts 
> on
> a network) which don't apply to your network/hosts.
>
> Snort is a great product for many reasons, and snortalog is a pretty cool
> script that can summarize your alerts files, and show you a 'top offendor'
> etc...ntop (opensource) is a great tool to give you an idea of network
> utilization.
>
> You could cross reference the snort alerts with ntop (if the sensors were
> all in the right spot) and verify if the alerts you see are in fact causing
> a higher utilzation of the network.  Ntop will break down net utilzation by
> hosts and protocols.
>
> <begin commercial plug>
>
> Now, sorry to plug a commercial product, and I have no affiliation with 
> them
> whatsoever (I work on the West Coast), but, if your company has $$$---you
> could check out a product like "RNA" by sourcefire.  You are asking about a
> better way to see the "real severe alerts"
>
> http://sourcefire.com/products/rna.html
>
>
> This product is very cool (I saw a demo @ SANS last month) and can quickly
> give you an idea of anomalous traffic/behavior on your network, in many
> different ways.
>
> </end plug>
>
> Snort is a great way to track alerts, if you tune the rulebase, and if the
> alerts apply to your environment.  You still need to analyze the packets,
> however, to determine if the alert is genuine.  If you don't have the time
> to do this, it might be best to look at a commercial product.
>
> Corey
>
>
> >From: "derk van de Velde" <derk () pcvisie nl>
> >To: "AJ Butcher, Information Systems and Computing"
> ><Alex.Butcher () bristol ac uk>,"snort user"
> ><snort-users () lists sourceforge net>
> >Subject: RE: [Snort-users] how to handle this problem
> >Date: Thu, 20 May 2004 16:17:55 +0200
> >
> >hi,
> >
> >i installed snort because some weeks ago, one machin inside our network
> >attacked a lot of machines outside. so we were blocked by my isp.
> >i think snort is a good product to signal thise attacks, is that correct?
> >because sometimes i get many alerts aday, is snortalog a good way to 
> track
> >them?
> >is there a better way to find (fast) the real severe alerts?
> >
> >thanks and regards,
> >derk
> >
> >
> >-----Oorspronkelijk bericht-----
> >Van: AJ Butcher, Information Systems and Computing
> >[mailto:Alex.Butcher () bristol ac uk]
> >Verzonden: donderdag 20 mei 2004 15:54
> >Aan: derk van de Velde; snort user
> >Onderwerp: Re: [Snort-users] how to handle this problem
> >
> >
> >
> >
> >--On 20 May 2004 14:54 +0200 derk van de Velde <derk () pcvisie nl> wrote:
> >
> > > hi,
> > >
> > > if found this in met authlog from snort
> > >
> > > May 20 02:19:28 pcvisie snort: [1:2307:2] WEB-PHP PayPal Storefront
> > > arbitrary command execution attempt [Classification: Web Application
> > > Attack] [Priority: 1]: {TCP} 10.0.3.128:4978 -> 207.46.130.110:80
> > > May 20 02:19:28 pcvisie snort: [1:2307:2] WEB-PHP PayPal Storefront
> > > arbitrary command execution attempt [Classification: Web Application
> > > Attack] [Priority: 1]: {TCP} 10.0.3.128:4979 -> 207.46.130.110:80
> > >
> > > snortalog said high
> > >
> > > when i check the 2307 sid on snort.org, it is not clear to me how t
> >handle
> > > this.
> >
> >1) Check who the target machine (207.46.130.110) belongs to. According to
> >WHOIS, it's Hotmail, so /if/ this /is/ a real attack, it's one of your
> >users  (I assume, from the 10.0.0.0/8 address) attacking Hotmail.
> >
> >2) Verify whether the target machine is using PayPal Storefront. I would
> >suggest "probably not".
> >
> >3) Examine the payload of the packets that triggered the alert and 
> compare
> >with the rule to determine whether the rule might be a bit too dumb, and
> >could be triggered by innocuous traffic (e.g. email, web pages, image
> >files).
> >
> > > what steps should i take
> >
> >If this is a real attack (I would guess not), the rest depends on your
> >organisation's policy for dealing with misuse of its computer systems and
> >networks. This is almost certainly a legal, rather than a technical 
> matter.
> >
> > > regards,
> > > derk
> >
> >HTH,
> >Alex.
> >--
> >Alex Butcher: Security & Integrity, Personal Computer Systems Group
> >Information Systems and Computing             GPG Key ID: F9B27DC9
> >GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
> >
> >
> >
> >
> >
> >
> >-------------------------------------------------------
> >This SF.Net email is sponsored by: Oracle 10g
> >Get certified on the hottest thing ever to hit the market... Oracle 10g.
> >Take an Oracle 10g class now, and we'll give you the exam FREE.
> >http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users () lists sourceforge net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from McAfee®
> Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id149&alloc_id66&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users