Snort mailing list archives
Re: High FPs on New Stream5 Anomalies & Others
From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 26 Jan 2011 17:53:30 -0500
There is a bug fixed in the upcoming 2904 that addresses false positives on those stream5 alerts. Your 3rd party resets may be exacerbating things though. Yes it is safe to suppress / filter them. Is this your first Snort deployment? It sounds like you've got it under control. Congratulations. Russ On Wed, Jan 26, 2011 at 2:08 PM, Merida, Dylan <Dylan.Merida () eku edu> wrote:
Hey everyone, I'm a long time reader, first time poster. We recently implemented a snort, barnyard2, base, and pulledpork setup into our network. The snort version is 2.9.0.3 on RHEL6 with newest PCAP and libdnet. It's currently watching the WAN link only and can see up to 1Gbps of traffic. I've been trying to tune snort by thresholding and thinning out the ruleset. I've messed with stream5 global memcap and tcp max_queued_bytes until we have almost no dropped packets or pruning happening (aside from stale timeouts). The biggest issue we've been having is maintaining the MySQL database, because it can easily reach 15 million alerts in 3 days. The filesize hovers around 8 GB as I have a script running each night to delete rules older than three days and then optimize. I would like to tune snort to allow me to keep up to 30 days. The rules I've been having the most trouble out of are the new stream5 anomaly detections. Using BASE, I've found that in a 72 hour period the two alerts above comprise 34% of our alerts. Their stats for the 72 hour period are list below. stream5: Reset outside window (129:15) - 1490398(19%) stream5: FIN number is greater than prior FIN (129:16) - 1061056(14%) And this is after I've used thresholds to limit them to 1 alert per second per source ip. If you factor in alerts for Bittorrent, ICMP unreachable messages, Stream5: TCP Timestamp missing, and echo replies they comprise 93% of our alerts. We're fine with leaving Bittorrent alerts on, but I may threshold them more. I'd like to cut down on the alerts above so I can see the more important high severity alerts. My question is really this: Can someone explain what exactly the new stream5 tcp anomaly detections mean? And are they safe to turn off? I've checked the snort 2.9.0.X manual and there are no mentions of either of them. I've also searched through snort-users and can only find gen-msg.map issues and Joel saying, "We've fixed this in the next version."
We have another IDS type box from Actiance (Recently changed their name
from FaceTime after selling it to Apple) that sprays TCP RSTs out at connections it doesn't like; I suspect this may be causing the "Reset outside window" alert to trigger and maybe the FIN number issues. Let me know what you think. I'm open to suggestions on splunk for automatic alerting as well. Thank you, Dylan Merida Security Analyst Information Technology Eastern Kentucky University ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- High FPs on New Stream5 Anomalies & Others Merida, Dylan (Jan 26)
- Re: High FPs on New Stream5 Anomalies & Others waldo kitty (Jan 27)
- <Possible follow-ups>
- High FPs on New Stream5 Anomalies & Others Merida, Dylan (Jan 26)
- Re: High FPs on New Stream5 Anomalies & Others Russ Combs (Jan 26)
- Re: High FPs on New Stream5 Anomalies & Others Merida, Dylan (Jan 26)
- Re: High FPs on New Stream5 Anomalies & Others Russ Combs (Jan 26)