Snort mailing list archives
Re: noobq: reading and acting on a snort alert
From: "Castle, Shane" <scastle () bouldercounty org>
Date: Thu, 9 May 2013 19:00:11 +0000
Also, if some of the connecting systems are in your HOME_NET space you can make EXTERNAL_NETS be !192.168.17.0/24. Since this is SO you can look at the pcap to see if it's really Oracle traffic - maybe you missed a DB server somewhere? Or, as Joel suggests, somebody's being a bit pink? :D (sorry, couldn't resist the misspelling of "rogue") -- Shane Castle Data Security Mgr, Boulder County IT -----Original Message----- From: Jeremy Hoel [mailto:jthoel () gmail com] Sent: Thursday, May 09, 2013 12:52 To: MLP SCADA Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] noobq: reading and acting on a snort alert Here's some simple questions and ideas 1 - Do you run Oracle on your network. If not, disable the rule. Unless you are worried that someone else might be running Oracle.. rouge like. 2 - If it's ok to have inside hosts talk to this server on 1521, you can change the rule to be 'alert tcp !$HOME_NET any -> $HOME_NET 1521...' using pulledpork's modifysid 3 - if there's just one host talking to another host and it's expected, you could threshold that for the specifics src or dest.. (one of the other) 4 -0 you could right a local.rules pass rule to allow one host to talk to another host on 1521. Only you can answer the question of it's important and then how you want to remove the alert from happening, these are just some quick ideas. On Thu, May 9, 2013 at 6:29 PM, MLP SCADA <MLPSCADA () ci anchorage ak us> wrote:
I'm new to snort and struggling to understand exactly what it's trying to tell me. I'm using a securityonion based snort system. Here are the particulars: $HOME_NET 192.168.17.0/24 $EXTERNAL_NET any Oracle servers on two boxes, 192.168.17.11 and 192.168.17.12, both have instances listening on ports 1521, 1523 and 1525. I'm getting a -lot- of alerts from the following rule and I'm trying determine if I have a problem or not. alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg:"ET POLICY Suspicious inbound to Oracle SQL port 1521"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010936; classtype:bad-unknown; sid:2010936; rev:2;) If I'm reading the rule correctly, what this rule triggers on is: any tcp traffic with the syn flag set from any port on any host in any network (including $HOME_NET networks) directed at port 1521 on any host in any network in $HOME_NET. The tie to Oracle in this rule is simply that the destination port is 1521, typically associated with Oracle. Not from locating magic oracle tokens or signatures or whatever in the traffic itself. (I've ignored the thresholding for the purposes of this question). Is this correct? Assuming that it is, what to do about it? If I understand the rule correctly, then -based on this rule only- traffic with the syn flag set going to ports 1521, 1523 or 1525 on these two boxes should be considered false positives. Any other hits from this rule are true positives. Is this correct? If so, how do I tune the system so that this rule does not make entries in the alert logs for the false positive case, yet will still alert on non-oracle ip's ? And how do I do it so that the tuning is maintained between rule updates? Thanks! ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- noobq: reading and acting on a snort alert MLP SCADA (May 09)
- Re: noobq: reading and acting on a snort alert Jeremy Hoel (May 09)
- Re: noobq: reading and acting on a snort alert Castle, Shane (May 09)
- Re: noobq: reading and acting on a snort alert MLP SCADA (May 09)
- Re: noobq: reading and acting on a snort alert Jeremy Hoel (May 09)
- Re: noobq: reading and acting on a snort alert Jeremy Hoel (May 09)