Snort mailing list archives
Re: Snort against DARPA Dataset
From: Sravan Bhamidipati <bsravanin () gmail com>
Date: Thu, 5 Jul 2012 11:12:25 -0400
From: Sunny Fugate <fugate () unm edu> To: snort-users () lists sourceforge net Cc: Date: Mon, 2 Jul 2012 11:42:04 -0600 Subject: Re: [Snort-users] Snort against DARPA Dataset Regarding your detection rates, check that you have signatures for the unidentified traffic. Is it 30% of labelled attacks for which you have signatures, or 30% of the labelled attacks don't have signatures in Snort?
Only 30% of the labelled attacks have signatures in Snort.
As Robert pointed out, many of the old DARPA attacks may not be handled by current detection rules or current preprocessors. It may also be that you might need to change/refine configuration of various specialized pre-processors. Some immediate things to check might be port-lists for various preprocessors which might prevent certain preprocessors and/or rules from being applied if traffic is not on an expected port. You'll need to examine your missed attacks, see if these are handled at all by Snort and by which preprocessor and whether the preprocessor is configured such that it would detect them.
Thank you, Sunny. I had thought of examining the missed attacks, but it somehow slipped my mind. I did what you suggested. In my Snort config, I have a list of IP addresses defined as HOME_NET. Of the alerts generated by Snort roughly 90% have these IP addresses as the destinations, 5% have these IP addresses as sources (but not destinations). Is this expected behavior? Is Snort "less concerned" about outgoing packets? Is there a way to change that behavior, or is that against the norms of an IDS? This could be a major cause of the low detection rates I am getting, because 80% of the labelled attacks have a destination that is not part of HOME_NET. This is counter-intuitive to my understanding. I had been of the opinion that an "intrusion" means HOME_NET is the destination, and "exfiltration" (or whatever happens after a system is compromised) has HOME_NET as the source. From: waldo kitty <wkitty42 () windstream net>
To: snort-users () lists sourceforge net Cc: Date: Tue, 03 Jul 2012 01:25:25 -0400 Subject: Re: [Snort-users] Snort against DARPA Dataset On 7/2/2012 10:21, Sravan Bhamidipati wrote:Are there any recommended portscan detection tools that can play tcpdump files? I have tried scanlogd and psad, and didn't find the option.what's wrong with wireshark or similar? (other than maybe being winwhatever based??)
Sorry, Waldo. I couldn't figure out how to detect portscans using Wireshark. However, I looked at the counts of (Source IP, Destination IP) ordered pairs in the list of labelled attacks, and found that about 60% of them correspond to just 3 such ordered pairs. My guess is that these are some kind of DoS attacks. (The source IP is sending packets to the destination IP using 65536 x 1024 combinations of source and destination port numbers.) None of these generated Snort alerts. Does Snort have a problem detecting DoS attacks or could I be missing some important setting in snort.conf?
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 02)
- Re: Snort against DARPA Dataset Sunny Fugate (Jul 02)
- Re: Snort against DARPA Dataset waldo kitty (Jul 02)
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 05)
- Re: Snort against DARPA Dataset Sunny Fugate (Jul 05)
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 05)
- Re: Snort against DARPA Dataset Patrick Mullen (Jul 05)
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 05)
- Re: Snort against DARPA Dataset Sunny Fugate (Jul 05)
- <Possible follow-ups>
- Re: Snort against DARPA Dataset Sravan Bhamidipati (Jul 13)
- Re: Snort against DARPA Dataset waldo kitty (Jul 14)
- Re: Snort against DARPA Dataset Joel Esler (Jul 14)
- Re: Snort against DARPA Dataset waldo kitty (Jul 16)
- Re: Snort against DARPA Dataset waldo kitty (Jul 14)