Re: noobq: reading and acting on a snort alert

["Castle, Shane" <scastle () bouldercounty org>]

Also, if some of the connecting systems are in your HOME_NET space you can make EXTERNAL_NETS be !192.168.17.0/24.

Since this is SO you can look at the pcap to see if it's really Oracle traffic - maybe you missed a DB server 
somewhere? Or, as Joel suggests, somebody's being a bit pink? :D (sorry, couldn't resist the misspelling of "rogue")

-- 
Shane Castle
Data Security Mgr, Boulder County IT


-----Original Message-----
From: Jeremy Hoel [mailto:jthoel () gmail com] 
Sent: Thursday, May 09, 2013 12:52
To: MLP SCADA
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] noobq: reading and acting on a snort alert

Here's some simple questions and ideas

1 - Do you run Oracle on your network. If not, disable the rule.
Unless you are worried that someone else might be running Oracle..
rouge like.

2 - If it's ok to have inside hosts talk to this server on 1521, you
can change the rule to be 'alert tcp !$HOME_NET any -> $HOME_NET
1521...' using pulledpork's modifysid

3 - if there's just one host talking to another host and it's
expected, you could threshold that for the specifics src or dest..
(one of the other)

4 -0 you could right a local.rules pass rule to allow one host to talk
to another host on 1521.


Only you can answer the question of it's important and then how you
want to remove the alert from happening, these are just some quick
ideas.




On Thu, May 9, 2013 at 6:29 PM, MLP SCADA <MLPSCADA () ci anchorage ak us> wrote:
> I'm new to snort and struggling to understand exactly what it's trying to tell me.  I'm using a securityonion based 
> snort system.
>
> Here are the particulars:
>
>    $HOME_NET            192.168.17.0/24
>    $EXTERNAL_NET        any
>    Oracle servers on two boxes, 192.168.17.11 and 192.168.17.12,
>     both have instances listening on ports 1521, 1523 and 1525.
>
> I'm getting a -lot- of alerts from the following rule and I'm trying determine if I have a problem or not.
>
>    alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg:"ET POLICY
>    Suspicious inbound to Oracle SQL port 1521"; flow:to_server; flags:S;
>    threshold: type limit, count 5, seconds 60, track by_src;
>    reference:url,doc.emergingthreats.net/2010936;
>    classtype:bad-unknown; sid:2010936; rev:2;)
>
> If I'm reading the rule correctly, what this rule triggers on is:
>
>    any tcp traffic with the syn flag set from any port on any host in
>    any network (including $HOME_NET networks) directed at port 1521
>    on any host in any network in $HOME_NET.
>
> The tie to Oracle in this rule is simply that the destination port is 1521, typically associated with Oracle.  Not 
> from locating magic oracle tokens or signatures or whatever in the traffic itself.  (I've ignored the thresholding 
> for the purposes of this question).
>
> Is this correct?
>
> Assuming that it is, what to do about it?
>
> If I understand the rule correctly, then -based on this rule only- traffic with the syn flag set going to ports 1521, 
> 1523 or 1525 on these
> two boxes should be considered false positives.  Any other hits from this rule are true positives.  Is this correct?
>
> If so, how do I tune the system so that this rule does not make entries in the alert logs for the false positive 
> case, yet will still alert on non-oracle ip's ?  And how do I do it so that the tuning is maintained between rule 
> updates?
>
> Thanks!
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!