Re: Snort against DARPA Dataset

[Sunny Fugate <fugate () unm edu>]

This is normal....most rules are defined with $HOME_NET as the destination for exactly the reason you gave (attacks 
being incoming traffic).  A single detection rule has a header: 

alert tcp $EXTERNAL_NET any -> $HOME_NET any 

The arrow literally defines source -> destination. Most rules define $HOME_NET as the destination.   While there are 
rules for exfiltration, they represent a a smaller number compared to those for active attacks (i.e. prior to actual 
compromise).   It may also be that the DARPA dataset doesn't have a large number of exfiltration attacks. 

How did you generate your list of HOME_NET IP addresses for the DARPA dataset?  To get things working as you expect, 
the network structure of the original test-setup (available on the same website as the datasets) will probably need to 
be included in IP list.  I'm not sure which of the datasets you are using, but one of their network diagrams lists 
anything in the IP range for 172.16.0.0/16 as being "inside". 

Cheers, 

Sunny

On Jul 5, 2012, at 9:12 AM, Sravan Bhamidipati wrote:

> From: Sunny Fugate <fugate () unm edu>
> To: snort-users () lists sourceforge net
> Cc: 
> Date: Mon, 2 Jul 2012 11:42:04 -0600
> Subject: Re: [Snort-users] Snort against DARPA Dataset
> Regarding your detection rates, check that you have signatures for the unidentified traffic.  Is it 30% of labelled 
> attacks for which you have signatures, or 30% of the labelled attacks don't have signatures in Snort?
> Only 30% of the labelled attacks have signatures in Snort.
>
>  
>   As Robert pointed out, many of the old DARPA attacks may not be handled by current detection rules or current 
> preprocessors.  It may also be that you might need to change/refine configuration of various specialized 
> pre-processors. Some immediate things to check might be port-lists for various preprocessors which might prevent 
> certain preprocessors and/or rules from being applied if traffic is not on an expected port.   You'll need to examine 
> your missed attacks, see if these are handled at all by Snort and by which preprocessor and whether the preprocessor 
> is configured such that it would detect them.
>
> Thank you, Sunny. I had thought of examining the missed attacks, but it somehow slipped my mind. I did what you 
> suggested.
>
> In my Snort config, I have a list of IP addresses defined as HOME_NET. Of the alerts generated by Snort roughly 90% 
> have these IP addresses as the destinations, 5% have these IP addresses as sources (but not destinations). Is this 
> expected behavior? Is Snort "less concerned" about outgoing packets? Is there a way to change that behavior, or is 
> that against the norms of an IDS?
>
> This could be a major cause of the low detection rates I am getting, because 80% of the labelled attacks have a 
> destination that is not part of HOME_NET.
>
> This is counter-intuitive to my understanding. I had been of the opinion that an "intrusion" means HOME_NET is the 
> destination, and "exfiltration" (or whatever happens after a system is compromised) has HOME_NET as the source.
>
>
>
> From: waldo kitty <wkitty42 () windstream net>
> To: snort-users () lists sourceforge net
> Cc: 
> Date: Tue, 03 Jul 2012 01:25:25 -0400
> Subject: Re: [Snort-users] Snort against DARPA Dataset
> On 7/2/2012 10:21, Sravan Bhamidipati wrote:
> Are there any recommended portscan detection tools that can play tcpdump files?
> I have tried scanlogd and psad, and didn't find the option.
> what's wrong with wireshark or similar? (other than maybe being winwhatever based??)
>
> Sorry,  Waldo. I couldn't figure out how to detect portscans using Wireshark.
>
> However, I looked at the counts of (Source IP, Destination IP) ordered pairs in the list of labelled attacks, and 
> found that about 60% of them correspond to just 3 such ordered pairs. My guess is that these are some kind of DoS 
> attacks. (The source IP is sending packets to the destination IP using 65536 x 1024 combinations of source and 
> destination port numbers.) None of these generated Snort alerts. Does Snort have a problem detecting DoS attacks or 
> could I be missing some important setting in snort.conf?
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!