Snort mailing list archives
RE: (2) how to handle this problem
From: "derk van de Velde" <derk () pcvisie nl>
Date: Fri, 21 May 2004 14:59:08 +0200
hi, i asked info for sourcefire rna product, it is to expancive for us it was about $5.500 i have to search on howto handle attacks via snort/snortalog derk -----Oorspronkelijk bericht----- Van: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]Namens Corey Rock Verzonden: donderdag 20 mei 2004 18:21 Aan: snort-users () lists sourceforge net Onderwerp: RE: [Snort-users] how to handle this problem Greetings! The first most important thing you need to do is tune your rulebase to your environment. Not only will this make snort much more efficient, but it will reduce all the potential 'noise' or 'false positives' you might see with the default rule set (which is very broad, and covers a very general concept of hosts on a network) which don't apply to your network/hosts. Snort is a great product for many reasons, and snortalog is a pretty cool script that can summarize your alerts files, and show you a 'top offendor' etc...ntop (opensource) is a great tool to give you an idea of network utilization. You could cross reference the snort alerts with ntop (if the sensors were all in the right spot) and verify if the alerts you see are in fact causing a higher utilzation of the network. Ntop will break down net utilzation by hosts and protocols. <begin commercial plug> Now, sorry to plug a commercial product, and I have no affiliation with them whatsoever (I work on the West Coast), but, if your company has $$$---you could check out a product like "RNA" by sourcefire. You are asking about a better way to see the "real severe alerts" http://sourcefire.com/products/rna.html This product is very cool (I saw a demo @ SANS last month) and can quickly give you an idea of anomalous traffic/behavior on your network, in many different ways. </end plug> Snort is a great way to track alerts, if you tune the rulebase, and if the alerts apply to your environment. You still need to analyze the packets, however, to determine if the alert is genuine. If you don't have the time to do this, it might be best to look at a commercial product. Corey
From: "derk van de Velde" <derk () pcvisie nl> To: "AJ Butcher, Information Systems and Computing" <Alex.Butcher () bristol ac uk>,"snort user" <snort-users () lists sourceforge net> Subject: RE: [Snort-users] how to handle this problem Date: Thu, 20 May 2004 16:17:55 +0200 hi, i installed snort because some weeks ago, one machin inside our network attacked a lot of machines outside. so we were blocked by my isp. i think snort is a good product to signal thise attacks, is that correct? because sometimes i get many alerts aday, is snortalog a good way to track them? is there a better way to find (fast) the real severe alerts? thanks and regards, derk -----Oorspronkelijk bericht----- Van: AJ Butcher, Information Systems and Computing [mailto:Alex.Butcher () bristol ac uk] Verzonden: donderdag 20 mei 2004 15:54 Aan: derk van de Velde; snort user Onderwerp: Re: [Snort-users] how to handle this problem --On 20 May 2004 14:54 +0200 derk van de Velde <derk () pcvisie nl> wrote:hi, if found this in met authlog from snort May 20 02:19:28 pcvisie snort: [1:2307:2] WEB-PHP PayPal Storefront arbitrary command execution attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 10.0.3.128:4978 -> 207.46.130.110:80 May 20 02:19:28 pcvisie snort: [1:2307:2] WEB-PHP PayPal Storefront arbitrary command execution attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 10.0.3.128:4979 -> 207.46.130.110:80 snortalog said high when i check the 2307 sid on snort.org, it is not clear to me how thandlethis.1) Check who the target machine (207.46.130.110) belongs to. According to WHOIS, it's Hotmail, so /if/ this /is/ a real attack, it's one of your users (I assume, from the 10.0.0.0/8 address) attacking Hotmail. 2) Verify whether the target machine is using PayPal Storefront. I would suggest "probably not". 3) Examine the payload of the packets that triggered the alert and compare with the rule to determine whether the rule might be a bit too dumb, and could be triggered by innocuous traffic (e.g. email, web pages, image files).what steps should i takeIf this is a real attack (I would guess not), the rest depends on your organisation's policy for dealing with misuse of its computer systems and networks. This is almost certainly a legal, rather than a technical matter.regards, derkHTH, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to handle this problem derk van de Velde (May 20)
- Re: how to handle this problem AJ Butcher, Information Systems and Computing (May 20)
- RE: how to handle this problem derk van de Velde (May 20)
- RE: how to handle this problem AJ Butcher, Information Systems and Computing (May 20)
- RE: how to handle this problem derk van de Velde (May 20)
- <Possible follow-ups>
- RE: how to handle this problem Corey Rock (May 20)
- RE: how to handle this problem derk van de Velde (May 21)
- RE: (2) how to handle this problem derk van de Velde (May 21)
- RE: how to handle this problem Corey Rock (May 22)
- Re: how to handle this problem AJ Butcher, Information Systems and Computing (May 20)