Re: Noob

[Tim Slighter <tslighter () itc nrcs usda gov>]

The first best step is to fine tune your HOME_NET and EXTERNAL_NET 
variables.  Once you have those in place, you might want to start 
customizing your rules.  As for SNMP alerts, you may have to write a 
custom rule that will not alert for that printer.

(Original)
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access 
tcp"; flow:to_server,established; content:"public"; 
reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; 
reference:bugtraq,7212; reference:cve,1999-0517; 
reference:cve,2002-0012; reference:cve,2002-0013; 
classtype:attempted-recon; sid:1412; rev:13;)

This rule could be customized to not alert for a particular host or net

alert tcp $EXTERNAL_NET any -> !192.168.1.192 161 (msg:"SNMP public 
access tcp"; flow:to_server,established; content:"public"; 
reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; 
reference:bugtraq,7212; reference:cve,1999-0517; 
reference:cve,2002-0012; reference:cve,2002-0013; 
classtype:attempted-recon; sid:1412; rev:13;)

alert tcp $EXTERNAL_NET any -> !192.168.1.0/24 161 (msg:"SNMP public 
access tcp"; flow:to_server,established; content:"public"; 
reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; 
reference:bugtraq,7212; reference:cve,1999-0517; 
reference:cve,2002-0012; reference:cve,2002-0013; 
classtype:attempted-recon; sid:1412; rev:13;)

Work with the EXTERNAL_NET variable if the source IP is the cause of the 
surplus of alerts.

Hopefully that gives you an idea of where to start.

Brian Stamper wrote:

> Well I'm new to snort but so far I have the following:
> Snort logging to a mysql database w/ Apache2+PHP running acid.  Also have
> the Webmin snort module up and running.
>
> Here is my problem.  Currently out of the box snort is running on a network
> of roughly 300+ machines.  ITS UGLY!!  I am getting info everywhere.  Like
> 40 or 50+ alerts a minute.  Things from public SNMP stuff to dropped ICMP
> packets.  Does anyone have any pointers on where to start to get this to be
> useful rather than overwhelming?  I've researched some of it and it seems
> that the print server we have poll's the printers w/ this SNMP public
> broadcast every time something gets printed.  I'm at a loss in hope that my
> network isn't really this messed up!!  Are there any docs that explain what
> is/isn't needed for rules and what to setup from scratch?  All of this and
> I'm still on a switched network...no monitoring port or nothing.  All I see
> is what comes and goes from this machine and the network broadcasts
> basically.  Currently running snort 2.2.0 on Gentoo Linux.
> Thanks,
> Brian
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now. 
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>  


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users