Re: Everything working what next

[waldo kitty <wkitty42 () windstream net>]

On 11/29/2012 08:54, k vijay sai prashanth wrote:
> Okay. Thats very informative. Sorry again if my question was too basic. Just
> want to be clear on a fundamental level.
>
> So for example, I have suppressed ICMP rules from internal systems to avoid
> false positives and if some of my internal hosts were compromised and a DDOS was
> launched form our internal systems, Now that I've suppressed ICMP alerts from
> these hosts I am in danger right?

that would depend on the traffic used for the DDOS... if it were all ICMP 
traffic, then yes, you might be wondering why

   1) there's so much traffic on the network
   2) why the targeted host(s) are failing to operate properly
   3) why your detection system is not alerting you to the traffic

> How can I write suppress rules keeping such situations in mind?

well, the first thing is to not turn off that which can alert you... if there 
are false positives, they need to be looked at and studied to determine why they 
are false positives... if the traffic does match the rule, is it really a false 
positive or is it only the MSG in the rule that is "incorrect"? then there's the 
definition of "false positive" and what it really means to you and your network...

> Is there a way to suppress alerts upto a certain number and
> if that threshold is crossed then raise an alert?

that's exactly what the in-rule option "detection_filter" and the threshold.conf 
file are for... choices you can use are

   1) modify the rule in place (via modifysid) to add the detection_filter
   2) disable the original rule and use a modified local.rules copy with 
detection_filter
   3) leave the original rule in place and use the threshold.conf* file to 
throttle or suppress** the rule

*NOTE: threshold.conf is not enabled by default. you have to specifically enable 
it in your snort.conf. just like any other conf changes, you will have to 
restart snort after making changes to the thresholds you have set.

**NOTE: suppressing a rule via threshold.conf still causes the rule to be loaded 
and processed. its alert output are simply suppressed. this may not be desirable 
as the rule is consuming memory space as well as CPU cycles. completely 
disabling the rule by commenting it out with a '#' is the best way to suppress a 
rule.

> Regards,
> Prashanth
>
>
> On Thu, Nov 29, 2012 at 7:48 AM, waldo kitty <wkitty42 () windstream net
> <mailto:wkitty42 () windstream net>> wrote:
>
>     On 11/28/2012 16:52, k vijay sai prashanth wrote:
>      > I did google it actually, Got very very vague responses. I posted here as
>      > everyone here uses Snort and will have clarity on their purpose of usage.
>
>     the main thing is to see the traffic on your network and that coming into and
>     going out of it... for instance, if you have a local policy of no P2P apps, it
>     is possible that a snort signature may alert on this type of traffic so that you
>     can put a stop to it...
>
>      > Also if I may ask why do we need an IDS when there is already a firewall in
>      > place?
>
>     firewalls can easily be breached... for example, if you have a web server
>     running inside your network that is open to the public on the WAN... with snort
>     you can sniff the traffic and see if anything untoward is going on... one for
>     instance would be if your web server runs a forum software package... you could
>     tell if some automated critter was beating on your forum and trying to force a
>     bogus spammy signup...
>
>      > All the traffic I see in my logs are all internal traffic. What kind of
>      > threats am I looking at from internal traffic?
>
>     internal machine can easily be infested if they visit external web sites... one
>     only has to look at the iframe mess that's out there spreading blackhole and
>     other kits... pdf and java also bring threats... if something gets loose inside,
>     don't you want to know about it hopefully before it infests other machine on
>     your network?
>
>      >
>      > Regards,
>      > Prashanth
>      >
>      >
>      > On Thu, Nov 29, 2012 at 3:14 AM, Ron Sinclair <unixfool () gmail com
>     <mailto:unixfool () gmail com>
>      > <mailto:unixfool () gmail com <mailto:unixfool () gmail com>>> wrote:
>      >
>      >     Analyze the logged data to determine if there are any system/network
>      >     breaches.  Noisy signatures can be commented out or tuned/filtered.
>      >       Sometimes the logs can point out a misconfiguration that, while not an
>      >     actual breach, can assist in fixing the issue.  Also, each network is
>      >     different, so we won't be able to tell you what you should be seeing and
>      >     how/if you should disable signatures.  We might be able to assist if
>     you've
>      >     a question about a particular piece of traffic, but you'll have to
>     provide
>      >     the pcap.  Sometimes, just being able to compare the PCAP agains the rule
>      >     itself is enough to determine the nature of logged traffic.  Sometimes it
>      >     takes awhile to research.  It depends on what's being logged.
>      >
>      >     I'm not sure if it's outside of the scope of this group or not, but using
>      >     Google usually helps.
>      >
>      >
>      >     On Wed, Nov 28, 2012 at 4:06 PM, k vijay sai prashanth
>      > <vijaysaiprashanth () gmail com <mailto:vijaysaiprashanth () gmail com>
>     <mailto:vijaysaiprashanth () gmail com <mailto:vijaysaiprashanth () gmail com>>>
>     wrote:
>      >
>      >         Hello All,
>      >
>      >         I have setup snort barnyard2 after a lot of pain. I even setup an
>     Aanval
>      >         front end. I now have events being logged and stored.
>      >
>      >         I just have one question.
>      >
>      >         What do I do with all the logs and alerts?
>      >
>      >         What kind of analysis and reporting should I be doing?
>      >
>      >         I hope this part is not out of scope for this group.
>      >
>      >         Regards,
>      >         Prashanth



------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
VERIFY Test and improve your parallel project with help from experts 
and peers. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!