Re: Snort Configurations

[Joel Esler <jesler () sourcefire com>]

Did you compile Snort with the following tag:

--enable-decoder-preprocessor-rules

?

On Thu, Sep 23, 2010 at 11:01 AM, Greg Lane <greglane () laneconstinc com> wrote:
> How would I know if I'm not using preprocessor rules?  I wouldn't be getting
> the alert if I wasn't or am I wrong in assuming that? I’m looking at my
> snort.conf file and the path to preprocessor rules is correct but I also
> found in step 8 looked like this
>
> # decoder and preprocessor event rules
> # include $PREPROC_RULE_PATH/preprocessor.rules
> # include $PREPROC_RULE_PATH/decoder.rules
> # include $PREPROC_RULE_PATH/sensitive-data.rules
>
> I then uncommented preprocessor.rules var and it still is giving me the
> alert.  I'm sorry if I'm a nuisance but I'm learning this all at once and it
> seems that it should be not alerting at this point and trying to figure out
> why.
>
> Greg Lane
> IT Manager
> Lane Enterprises
>
> Email:  greglane () laneconstinc com
> Phone: (228)872-2414
>
>
> -----Original Message-----
> From: Joel Esler [mailto:jesler () sourcefire com]
> Sent: Thursday, September 23, 2010 9:51 AM
> To: Greg Lane
> Subject: Re: [Snort-users] Snort Configurations
>
> Then you must not be using the preprocessor rules or something.  It
> depends on your compile.
>
> Go with the suppressions, they'll kill it either way.
>
> J
>
> On Thu, Sep 23, 2010 at 10:49 AM, Greg Lane <greglane () laneconstinc com>
> wrote:
> > I did twice.  I killed both the snort and barnyard2 processes and started
> > them again in the terminal and read barnyard2's output and the rule I
> > commented out in the preprocessor.rules file is still there.  In fact I
> > commented out all the http rules in the preprocessor.rules file and still
> > getting the alerts.  I looked in the gen-msg file and wonder if I should
> > comment those out also but they shouldn't even be getting to that point if
> > my logic is correct because the rule shouldn't be alerting.
> >
> > Greg Lane
> > IT Manager
> > Lane Enterprises
> >
> > Email:  greglane () laneconstinc com
> > Phone: (228)872-2414
> >
> >
> > -----Original Message-----
> > From: Joel Esler [mailto:jesler () sourcefire com]
> > Sent: Thursday, September 23, 2010 9:45 AM
> > To: Greg Lane
> > Cc: Alex Tatistcheff; snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] Snort Configurations
> >
> > "Or you can suppress the output in threshold.conf with something like:
> > suppress gen_id 119, sig_id 13"
> >
> >
> > Make sure you restart Snort after the changes.
> >
> > J
> >
> > On Thu, Sep 23, 2010 at 10:22 AM, Greg Lane <greglane () laneconstinc com>
> > wrote:
> > > I’m commenting out the rules in the preprocessor.rules file and I’m still
> > > getting the alert.  Gen_id 119  sid 19 long header.  Why is it still
> > > alerting?
> > >
> > >
> > >
> > > Greg Lane
> > >
> > > IT Manager
> > >
> > > Lane Enterprises
> > >
> > >
> > >
> > > Email:  greglane () laneconstinc com
> > >
> > > Phone: (228)872-2414
> > >
> > >
> > >
> > > From: alex.tatistcheff () gmail com [mailto:alex.tatistcheff () gmail com] On
> > > Behalf Of Alex Tatistcheff
> > > Sent: Wednesday, September 22, 2010 9:46 PM
> > > To: Greg Lane
> > > Cc: wkitty42 () windstream net; snort-users () lists sourceforge net
> > >
> > > Subject: Re: [Snort-users] Snort Configurations
> > >
> > >
> > >
> > > You can suppress the alerting and not affect the normalization (the
> > > important part) of the http_inspect preprocessor by commenting out the
> > rules
> > > in the preprocessor.rules file.
> > >
> > > Or you can suppress the output in threshold.conf with something like:
> > > suppress gen_id 119, sig_id 13
> > >
> > > The first option is what I would recommend.
> > >
> > > Alex Tatistcheff
> > > alext () pobox com
> > >
> > > The most terrifying words in the English language are, "I'm from the
> > > government and I'm here to help." -Ronald Reagan
> > >
> > > On Wed, Sep 22, 2010 at 1:01 PM, Greg Lane <greglane () laneconstinc com>
> > > wrote:
> > >
> > > Well there are 3 types of http_inspects that I am getting mainly.
> > >  http_inspect: LONG HEADER, http_inspect: NON-RFC DEFINED CHAR,
> > > http_inspect: OVERSIZE REQUEST-URI DIRECTORY.
> > > Everyone of the sources are from inside my network.  Many of them are to
> > > amazon EC, quantserve.com(cookie related), yahoo, google, facebook, and
> > > Pandora.  So you can see that most of the traffic is legit and it isn't
> > > being triggered from outside the domain.  I'm just not sure how to cut
> > down
> > > on the number of alerts.  When I get that done I will move on to the next
> > > but I am trying to do this in steps so that I can understand everything
> > that
> > > is going on
> > >
> > > Greg Lane
> > > IT Manager
> > > Lane Enterprises
> > >
> > > Email:  greglane () laneconstinc com
> > > Phone: (228)872-2414
> > >
> > > -----Original Message-----
> > > From: waldo kitty [mailto:wkitty42 () windstream net]
> > > Sent: Wednesday, September 22, 2010 1:21 PM
> > > To: snort-users () lists sourceforge net
> > > Subject: Re: [Snort-users] Snort Configurations
> > >
> > > On 9/22/2010 12:39, Greg Lane wrote:
> > > > I’m starting to learn how to tune my Snort install and it is a slow
> > > > process.  I
> > > > have alerts like crazy because I know it needs to be tuned and I
> > > > especially have
> > > > a lot of http_inspect alerts coming up. I’ve been reading and from what
> I
> > > > can
> > > > gather if you don’t have a websever you may not really need this in
> > > > operation or
> > > > am I wrong?
> > >
> > > the answer is "it depends"... it depends on if you want to monitor
> > outbound
> > > http
> > > traffic to possibly catch infestations on your network that are reporting
> > in
> > > or
> > > attacking remote http servers... you might also catch (and be able to
> > > prevent)
> > > internal machines that are being redirected to driveby sites that would
> > > (attempt
> > > to) load them with infestation materials...
> > >
> > > > If I am wrong then what is the best possible solution for me to cut
> > > > down most of the alerts which are false positives so to speak or aren’t
> > > > dangerous at all? This will probably be one of many questions concerning
> > > > configs
> > > > coming to an email box near you.
> > >
> > > false positives need to be reported to those who write those rules so
> they
> > > can
> > > be looked into and adjusted if necessary...
> ----------------------------------------------------------------------------
> > --
> > > Start uncovering the many advantages of virtual appliances
> > > and start using them to simplify application deployment and
> > > accelerate your shift to cloud computing.
> > > http://p.sf.net/sfu/novell-sfdev2dev
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> ----------------------------------------------------------------------------
> > --
> > > Start uncovering the many advantages of virtual appliances
> > > and start using them to simplify application deployment and
> > > accelerate your shift to cloud computing.
> > > http://p.sf.net/sfu/novell-sfdev2dev
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> ----------------------------------------------------------------------------
> > --
> > > Nokia and AT&T present the 2010 Calling All Innovators-North America
> > contest
> > > Create new apps & games for the Nokia N8 for consumers in  U.S. and
> Canada
> > > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
> > marketing
> > > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> > > http://p.sf.net/sfu/nokia-dev2dev
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users