Re: newbq: snort working, getting hits, got sig id's. What now?

[Tony Robinson <deusexmachina667 () gmail com>]

Have to agree with these folks. This is what analysts get paid to do; look
at signatures, correlate the source and the destination, and make
determinations based off of rule documentation and baselines of what is
considered "normal" activity for the source or destination system(s) in
question. A good portion of the time, and this is especially true of the
vrt rules, the rule metadata will have urls and links to articles
explicitly stating what it is the rule is attempting to detect, what
software version of X software it affects and most of the time, what patch
fixes the issue. you determine if you are running the software and software
version in question, whether or not the vulnerability has been patched and
you go from there.

(yes... I know I'm oversimplifying this greatly.. don't hurt me.)

you did the easy part in setting up your IDS, the hard part is making
determinations based on what you know.

some things to make it easier:
if the rule is a vrt rule, the file opensource.gz on snort.org, while
massive. has documentation on a boatload of rules they have released.
additionally the rule search on snort.org can give you good information as
well: http://www.snort.org/search

finally, there was a video that was posted some time ago where Joel did a
presentation on doing exactly what it is you're trying to do... damned if I
can find it though :\... hopefully someone else has it?

regards,

DA

On Fri, Nov 30, 2012 at 1:09 PM, John York <YorkJ () brcc edu> wrote:

>  A quick way is to grep your rules file to see what the rule says.
> Something like****
>
> grep “2012649” snort.rules****
>
> ** **
>
> *From:* Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com]
> *Sent:* Friday, November 30, 2012 12:34 PM
> *To:* Thomison, Lee; 'snort-users () lists sourceforge net'
> *Subject:* Re: [Snort-users] newbq: snort working, getting hits, got sig
> id's. What now?****
>
> ** **
>
> In the rule itself there are sometimes urls that link to more
> information.  BASE at least, displays these.  There is also a Snort page
> where you can look up information on a rule at www.snort.org, but not all
> rules have useful information.  After that, you can look at the rule
> itself-what is it looking for?  Then you get into the nitty-gritty of
> trying to figure out if this is legitimate or not, which means
> understanding (or talking to people in your company) about what these
> systems are doing, what’s “normal”, etc...  There’s no magic documentation
> for that unfortunately.****
>
> ** **
>
> ** **
>
> *From:* Thomison, Lee [mailto:ThomisonL () muni org <ThomisonL () muni org>]
> *Sent:* Thursday, November 29, 2012 3:30 PM
> *To:* 'snort-users () lists sourceforge net'
> *Subject:* [Snort-users] newbq: snort working, getting hits, got sig
> id's. What now?****
>
> ** **
>
> Pardon the newbie question, but…****
>
> ** **
>
> I’ve got snort up and running (via security onion 12.04), got latest vrt
> rules, etc.  Let it run overnight and now I’ve got hits (surprise,
> surprise).  I’ve got sig id’s for the first couple of high event count hits
> I want to look at, but what now?  Where do I go next or what do I do next
> to decide whether I have a problem or not?****
>
> ** **
>
> Here’s the two sigs I want to use as trainers for myself:****
>
> ** **
>
> SIG ID****
>
> ** **
>
> 2102649            GPL SQL service_name buffer overflow attempt****
>
> 2102650            GPL SQL user name buffer overflow attempt****
>
> ** **
>
> Where do I go to get more information on a sig id?****
>
> ** **
>
> Now, in this case, the source ip is an old control systems box sending
> data to a couple of oracle databases.  The source and dest IP’s correspond
> with the ‘right’ boxes.  So I suspect that this is simply a result of the
> vendor or oracle (or both) being sloppy.  But how do I confirm (or not) ?*
> ***
>
> ** **
>
> FWIW googling showed lots of info on how to write rules, but nothing on
> what to do after a hit.****
>
> ** **
>
> Thanks!****
>
> ** **
>
> ** **
>
>
> ------------------------------------------------------------------------------
> Keep yourself connected to Go Parallel:
> TUNE You got it built. Now make it sing. Tune shows you how.
> http://goparallel.sourceforge.net
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!