Re: Only monitor high severity alerts

[Tom Voussure <tom.voussure () gmail com>]

Hi Jeremy,

Thx for the info!

I'll have a look at the autocat possibilities.

So far i didn't change anything yet to the snort.conf, but i'll also dig into that.

Thx for the quick reply!

Kr,
Tom


On 2-nov.-2012, at 17:02, Jeremy Hoel <jthoel () gmail com> wrote:

> All the gui's show you all the alerts in one way or another.  With snorby you have an events tab, so as you classify 
> an alert (or all alerts of a type/src/dest) they will go away when you look at the events tab.. it's like a real time 
> view.  Snorby doesn't offer auto classificiation (yet?  I think Dustin mentioned he might work on that some how) so 
> you'll have to classify all alerts.  But you can mass classify based on src/dest/rule.. so that might be what you are 
> looking for.
>
> I use sguil on a regular basis with 50 sensors on a /16 home net, so I'll talk about that. it does have a file called 
> autocat.  It lets you automatically catagorize alerts based on source, dest, time, rule, etc.  So snort would still 
> fire on the rule and generate an alert, but it gets removed from the real time window so you won't see it unless you 
> look up an ip or alert time/type.  We use this to filter out things that won't be fixed but are good to know about 
> (old java, flash, port scans, rdp to/from local, etc).. things we might want to see if we research an ip, but don't 
> want to see day to day.
>
> There's no way to say just show cat I.. and you wouldn't want too.  The categories aren't always what you think they 
> might be.
>
> Have you customized any of the variables in snort.conf?  That can really help reduce false positives.
>
>
>
> On Fri, Nov 2, 2012 at 3:47 PM, Tom Voussure <tom.voussure () gmail com> wrote:
> > Hi Jeremy,
> >
> > I've installed a security onion distro, with Snort, pulledpork, mysql db and i use snorby as Snort-gui.
> >
> > I just installed everything in the default mode, and get around +50gb off diskusage per day.
> >
> > I have a network with +5000 devices, so there are indeed some false positives, but filtering out some 
> > source/destination ips will not do the trick i'm afraid.
> >
> > It would be nice that i could filter at the source, meaning only having rules for high severity alerts or let snort 
> > only process these types of alerts.
> >
> > As i'm new, all hints are very much appreciated!
> >
> > Thx,
> > Tom
> >
> >
> >
> >
> >
> > On 2-nov.-2012, at 16:17, Jeremy Hoel <jthoel () gmail com> wrote:
> >
> > > Well, what are you using to monitor the alerts?
> > >
> > > Also, if you can look at the large number alerts, they might false positives (ie: port scan proccessor, or IPC$ 
> > > from file servers to clients), and that's where tweaking the IP variables and disabling or threshold (by ip) rules 
> > > comes in.
> > >
> > >
> > > On Fri, Nov 2, 2012 at 3:09 PM, Tom Voussure <tom.voussure () gmail com> wrote:
> > > > Hi,
> > > > I've installed Snort some days ago for the first time, so i'm still a newby :-)
> > > >
> > > > I've configured a SPAN port to monitor all our incoming/outgoing traffic from the internet and got lots of alerts 
> > > > (around 50.000 in 3 days times).
> > > >
> > > > As I can't review all of them, I would like to start concentrating on the high severity alerts only, and let the 
> > > > medium and low severity alerts untouched.
> > > >
> > > > Is there an easy way to only monitor the high severity alerts or to download only rules for high severity alerts?
> > > >
> > > > Thanks !
> > > > tom
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > LogMeIn Central: Instant, anywhere, Remote PC access and management.
> > > > Stay in control, update software, and manage PCs from one command center
> > > > Diagnose problems and improve visibility into emerging IT issues
> > > > Automate, monitor and manage. Do more in less time with Central
> > > > http://p.sf.net/sfu/logmein12331_d2d
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!