Snort mailing list archives
Re: Fwd: Snort catching backup as alert?
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 22 Aug 2013 14:02:52 -0400
On 8/22/2013 13:01, William Rehnquyst wrote:
Thank you all for the replies, Alex, Jefferson and waldo kitty. I am currently using threshold to quiet it down, but not suppressing it.
yeah, generally that's the better option so that you can still catch it from other IPs instead of the ones you are seeing (and expecting) it on and getting too much noise from...
My replies to waldo kitty's finer points below:
further responses in line
On Mon, Aug 19, 2013 at 1:51 PM, waldo kitty <wkitty42 () windstream net> wrote: > Below is the payload it captured, which triggered the alert: > 1. > sid:17340; rev:3;) is looking on any port for a simple content only match... yes, this one is likely firing because of seeing that exact string... i note also that the rule is looking for traffic from $EXTERNAL_NET to $HOME_NET and that brings up a few questions: 1. is your backup server external to your network? 2. is this detection happening when your backup server is sending the traffic to a machine in your home net during a restore? 1. No, our backup is internal, and our current Snort configuration detects both ext and int traffic (I am aware of recommendations that ext and int sniffers be separated).
ok... that should be fine... i guess it may also come down to what those vars are set to... using 'any' for both could easily cause this because internal traffic would also qualify when $EXTERNAL_NET == any
2. Most likely not during a restore, but during backup. I don't have an exact time for when I know backup is happening, but I know it's happening during the backup window. And it triggers within the same hour every night.
ok...
> sid:17341; rev:2;) this rule has three content matches but they are hex coded so not straight strings in the content matches... no idea if this rule is triggering on seeing itself... Just want to reiterate that those rules I posted are payloads that Snort captured, not copy-pasted from the rule file myself.
ahhh... ok... they were the payload of the packet that triggered the rule... that would seem to confirm my #1 above where the first rule is triggering based on the plain text string in the content match... so it is seeing itself... this #2 and the rest were simply along for the ride being in the same packet... one fix for that rule that should help your situation would be to change that content match so that at least one character is hex coded instead of being plain text... then the rule should no longer match on itself... in rule 17340, change the original content match to read content:"|56|TX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8AC"; '|56|' is the hex code for the original capital 'V'... that change, alone, should fix this for your situation... one might possibly want to change additional characters to their hex code representations or maybe even the entire string...
> ps. On a side note, pardon my newbie-ness, how does screenshots and > attachment work on a mailing list like this? I'm not sure whether > they work or not because I never see them in the archive onseclists.org <http://onseclists.org>? it is best to just copy'n'paste the information into a post rather than trying to do screenshots... mainly because graphics are larger than the data you are trying to show... as for them not appearing on seclists, that may be because seclists doesn't allow them and so strips them out... as a general rules, each mailing list is different... some do not allow attachments at all... others allow any attachments up to a certain size... then some restrict the type of attachments and may also apply size restrictions to them... these details should be available in the rules for the list which everyone should read before joining the list... as for other systems that import the list and make it available in another format, they have their own rules... as long as posts made on them that get transferred back to the list conform with the list's rules, there are no problems... I generally read/check the rules when I join a forum/mailing list like this, being a former moderator somewhere else;
ahhh... a brother from a different mother ;)
but I did not see a rule page on the sign up page (and it's not like it's a forum that you can go in and search for it): https://lists.sourceforge.net/lists/listinfo/snort-users
i guess we need to see if we can get joel to prod the VRT web team to adding a link to the FAQ on github :)
Thanks for answering my questions in such detail waldo kitty. Much appreciated.
you are welcome... it is what i do :) O:) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: Snort catching backup as alert? William Rehnquyst (Aug 19)
- Re: Fwd: Snort catching backup as alert? Jefferson, Shawn (Aug 19)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 19)
- Re: Fwd: Snort catching backup as alert? William Rehnquyst (Aug 22)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 22)
- Re: Fwd: Snort catching backup as alert? William Rehnquyst (Aug 22)
- Re: Fwd: Snort catching backup as alert? Alexandre Carmel-Veilleux (Aug 24)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 24)
- Re: Fwd: Snort catching backup as alert? Joel Esler (Aug 25)
- Re: Fwd: Snort catching backup as alert? waldo kitty (Aug 24)