Re: Snort against DARPA Dataset

[Sravan Bhamidipati <bsravanin () gmail com>]

> From: Sunny Fugate <fugate () unm edu>
> To: snort-users () lists sourceforge net
> Cc:
> Date: Mon, 2 Jul 2012 11:42:04 -0600
> Subject: Re: [Snort-users] Snort against DARPA Dataset
> Regarding your detection rates, check that you have signatures for the
> unidentified traffic.  Is it 30% of labelled attacks for which you have
> signatures, or 30% of the labelled attacks don't have signatures in Snort?

Only 30% of the labelled attacks have signatures in Snort.



>    As Robert pointed out, many of the old DARPA attacks may not be handled
> by current detection rules or current preprocessors.  It may also be that
> you might need to change/refine configuration of various specialized
> pre-processors. Some immediate things to check might be port-lists for
> various preprocessors which might prevent certain preprocessors and/or
> rules from being applied if traffic is not on an expected port.   You'll
> need to examine your missed attacks, see if these are handled at all by
> Snort and by which preprocessor and whether the preprocessor is configured
> such that it would detect them.


Thank you, Sunny. I had thought of examining the missed attacks, but it
somehow slipped my mind. I did what you suggested.

In my Snort config, I have a list of IP addresses defined as HOME_NET. Of
the alerts generated by Snort roughly 90% have these IP addresses as the
destinations, 5% have these IP addresses as sources (but not destinations).
Is this expected behavior? Is Snort "less concerned" about outgoing
packets? Is there a way to change that behavior, or is that against the
norms of an IDS?

This could be a major cause of the low detection rates I am getting,
because 80% of the labelled attacks have a destination that is not part of
HOME_NET.

This is counter-intuitive to my understanding. I had been of the opinion
that an "intrusion" means HOME_NET is the destination, and "exfiltration"
(or whatever happens after a system is compromised) has HOME_NET as the
source.



From: waldo kitty <wkitty42 () windstream net>
> To: snort-users () lists sourceforge net
> Cc:
> Date: Tue, 03 Jul 2012 01:25:25 -0400
> Subject: Re: [Snort-users] Snort against DARPA Dataset
> On 7/2/2012 10:21, Sravan Bhamidipati wrote:
>
> > Are there any recommended portscan detection tools that can play tcpdump
> > files?
> > I have tried scanlogd and psad, and didn't find the option.
>
> what's wrong with wireshark or similar? (other than maybe being
> winwhatever based??)


Sorry,  Waldo. I couldn't figure out how to detect portscans using
Wireshark.

However, I looked at the counts of (Source IP, Destination IP) ordered
pairs in the list of labelled attacks, and found that about 60% of them
correspond to just 3 such ordered pairs. My guess is that these are some
kind of DoS attacks. (The source IP is sending packets to the destination
IP using 65536 x 1024 combinations of source and destination port numbers.)
None of these generated Snort alerts. Does Snort have a problem detecting
DoS attacks or could I be missing some important setting in snort.conf?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!