Snort mailing list archives

RE: Where do I go from here

From: "Lee Clemens" <snort () leeclemens net>
Date: Tue, 15 Nov 2005 19:53:57 -0500
I agree, although it is a great learning experience to keep a sensor outside
of your firewall. I learned a great deal due to the increased frequency of
attacks. When my router is set up properly there aren't any unsolicited
incoming packets (that I've seen), so it can be a bit boring. 

For now, I'd have to recommend keeping it outside, so that you can get a
feel for the setup. More data coming into BASE will help you move about, and
then you will have a better idea of what to expect if you move the sensor
inside the firewall and wonder, Is this thing on? -- as you'll hopefully get
far fewer alerts. 

Ideally you would have at least two taps, one right in front of your
firewall and one directly behind. Then you could compare the data from the
two and identify what is getting through and work on figuring out the why.

My two cents
Lee

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Briggs, Bruce
Sent: Tuesday, November 15, 2005 4:01 PM
To: Timothy A. Holmes; snort
Subject: RE: [Snort-users] Where do I go from here

So you are monitoring what is outside you door in a crime-ridden
neighborhood (the Internet).
This does not tell you what is coming through your door (your firewall).
 
Personally, I care what makes it into my network.  I don't care all that
much about what does not make it into my network.
So for me, I want an IDS inside my network.  For me, an IPS is a better
candidate to be outside your firewall than an IDS.
 
Bruce

________________________________

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Timothy A.
Holmes
Sent: Tuesday, November 15, 2005 2:16 PM
To: snort
Subject: [Snort-users] Where do I go from here



Hi Folks:

After some fits and starts, I believe that I have a functional IDS Box
watching the front door now, and I took out the back door (Wireless ap) and
repaired the hole in the wall with bricks and mortar

 

So, I guess the next question is what is the next step?



To summarize, I have a SNORT box up and sniffing on the inbound line between
the Cable Modem and the Firewall.  The management port is inside the
firewall and has an IP on it while the sniffing port is outside the firewall
and does not have one.  

 

I am logging to a mysql database, and running base for reporting.

 

As of the last check, I have received about 4500 alerts today, here is the
breakdown from base on them

 

Displaying alerts 1-7 of 7 total







   

 < <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=sig_a>
Signature >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=sig_d>  

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=class_a>
Classification >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=class_d>


 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=occur_a>
Total # >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=occur_d>


 Sensor # 

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=saddr_a>
Source Address >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=saddr_d>


 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=daddr_a>
Dest. Address >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=daddr_d>


 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=first_a>
First >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=first_d>


 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=last_a>
Last >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=last_d>  

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=3> ] (portscan) TCP
Portsweep 

unclassified 

55
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D
=1&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=1&;
sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B
0%5D=%3D&sig%5B1%5D=1>  

31
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B
0%5D=%3D&sig%5B1%5D=1>  

2005-11-15 03:06:05 

2005-11-15 13:12:23 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open Port


unclassified 

3679
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D
=2&sig_type=1&submit=Query+DB&num_result_rows=-1> (33%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=2&;
sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B
0%5D=%3D&sig%5B1%5D=2>  

302
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B
0%5D=%3D&sig%5B1%5D=2>  

2005-11-15 03:06:08 

2005-11-15 13:12:28 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=4> ] (http_inspect) BARE
BYTE UNICODE ENCODING 

unclassified 

444
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D
=3&sig_type=1&submit=Query+DB&num_result_rows=-1> (4%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=3&;
sig_type=1>  

2
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B
0%5D=%3D&sig%5B1%5D=3>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B
0%5D=%3D&sig%5B1%5D=3>  

2005-11-15 00:37:16 

2005-11-15 14:12:38 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=2> ] (http_inspect) DOUBLE
DECODING ATTACK 

unclassified 

21
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D
=4&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=4&;
sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B
0%5D=%3D&sig%5B1%5D=4>  

9
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B
0%5D=%3D&sig%5B1%5D=4>  

2005-11-15 07:16:16 

2005-11-15 12:38:53 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=15> ] (http_inspect)
OVERSIZE REQUEST-URI DIRECTORY 

unclassified 

6
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D
=6&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=6&;
sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B
0%5D=%3D&sig%5B1%5D=6>  

3
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B
0%5D=%3D&sig%5B1%5D=6>  

2005-11-15 10:43:42 

2005-11-15 11:46:43 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=1> ] (portscan) TCP
Portscan 

unclassified 

3
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D
=9&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=9&;
sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B
0%5D=%3D&sig%5B1%5D=9>  

3
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B
0%5D=%3D&sig%5B1%5D=9>  

2005-11-15 10:36:26 

2005-11-15 10:36:42 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=16> ] (http_inspect)
OVERSIZE CHUNK ENCODING 

unclassified 

3
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D
=13&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=13
&sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B
0%5D=%3D&sig%5B1%5D=13>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig%5B
0%5D=%3D&sig%5B1%5D=13>  

2005-11-15 11:45:36 

2005-11-15 11:46:40 

 

 

 

I guess I need to know what to do next and how to begin utilizing this data
to better protect my network

 

Anyone who can help, or point me to the proper resources would be greatly
appreciated

 

TIM



 

Timothy A. Holmes

IT Manager / Network Admin / Web Master / Computer Teacher

 

Medina Christian Academy

A Higher Standard...

 

Jeremiah 33:3

Jeremiah 29:11

Esther 4:14 





-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Where do I go from here Timothy A. Holmes (Nov 15)
- <Possible follow-ups>
- RE: Where do I go from here Briggs, Bruce (Nov 15)
  - RE: Where do I go from here Lee Clemens (Nov 15)
- RE: Where do I go from here Briggs, Bruce (Nov 15)
- Re: Where do I go from here Richard Bejtlich (Nov 15)