Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Using Snort & DB to remove false alarms

From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Thu, 8 Apr 2004 10:40:30 -0500

So you're saying create a second rule to return the first packet
response on every HTTP request so you can verify what the return value
was in order to eliminate harmless attacks.

I understand the desire to see if someone is attacking, regardless of
success... But for some of us that makes entirely too much noise to be
useful.  I'd be fine if all of that I recommended could be done with
tagging, but it can't. 

-----Original Message-----
From: Michael Boman [mailto:michael () ayeka dyndns org] 
Sent: Tuesday, April 06, 2004 6:44 AM
To: Sean Wheeler
Cc: Snort Users
Subject: Re: [Snort-users] Using Snort & DB to remove false alarms

On Tue, 2004-04-06 at 18:16, Sean Wheeler wrote:
[ ... ]

Imagine a frontend : Show me alerts using "weed out the obvious" Y/N ?

Y

Script does the "weeding" as described above prior to displaying the

alerts.


Taking it further :

You could use threshold suppression aswell, so you no longer see

alerts from

Webserver A
 because "weeding" figured out the Webserver A is not vulnerable to

that

attack sig X.


Conclusion:

It would be possible using the above methodogoly abeit 1/2 days work

at this

point, we can use snort itself as one mechanism for identifying "false
alarms"

Your thoughts ??


I believe this intelligence should sit at the front end (or somewhere
between Snort and front end), and not in Snort. Snort should concentrate
on detecting as much as possible as fast as possible, and let other bits
and pieces do the rest (that's why barnyard was created in the first
place, so Snort doesn't need to worry about talking to databases etc).

Once in the post-processing/front end stage an alert should never be
hidden from an analyst. Just because the attack didn't succeed doesn't
mean it never took place.

But using visual means to describe the outcome of the attack is OK, just
that I am against hiding alerts from the analyst.

-- 
Michael Boman



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: