Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: threshold.conf - event_filter dificulties.

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 10 Apr 2015 20:29:53 -0600
On Fri, 2015-04-10 at 21:13 -0400, Jean-Pierre Zurbrügg wrote:


Hello James,  thanks for replying.
Im not sure im following. The examples you shared are for specific
alerts. We'd like to control all rules with one global rule.


On Apr 10, 2015 6:59 PM, "James Lay" <jlay () slave-tothe-box net> wrote:

        On Fri, 2015-04-10 at 08:54 -0400, Jean-Pierre Zurbrügg
        wrote: 
        
        > Hello everyone,
        > 
        > 
        > Current setup:
        > 
        > 
        > Ubuntu 12.04.5 LTS  3.2.0-23-generic #36-Ubuntu SMP Tue Apr
        > 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
        > Snort Version 2.9.7.2 GRE (Build 177)
        > Using PCRE version: 8.12 2011-01-15
        > Using ZLIB version: 1.2.3.4
        > Compile options: 
        > ./configure --enable-sourcefire
        > make
        > sudo make install
        > 
        > 
        > pulledpork was used to update rules, config:
        > 
        > 
        > rule_url=https://www.snort.org/reg-rules/|
        > snortrules-snapshot.tar.gz|<oink code>
        > rule_url=http://labs.snort.org/feeds/ip-filter.blf|
        > IPBLACKLIST|open
        > rule_url=https://www.snort.org/reg-rules/|
        > opensource.gz|<oink code>
        > rule_url=https://rules.emergingthreatspro.com/|
        > emerging.rules.tar.gz|open
        > ignore=deleted.rules,experimental.rules,local.rules
        > temp_path=/tmp
        > rule_path=/etc/snort/rules/snort.rules
        > local_rules=/etc/snort/rules/local.rules
        > sid_msg=/etc/snort/sid-msg.map
        > sid_msg_version=2
        > sid_changelog=/var/log/sid_changes.log
        > sorule_path=/usr/local/lib/snort_dynamicrules/
        > snort_path=/usr/local/bin/snort
        > config_path=/etc/snort/snort.conf
        > distro=Ubuntu-10-4
        > black_list=/etc/snort/rules/iplists/default.blacklist
        > IPRVersion=/etc/snort/rules/iplists
        > snort_control=/usr/local/bin/snort_control
        >  enablesid=/etc/snort/enablesid.conf
        >  dropsid=/etc/snort/dropsid.conf
        >  disablesid=/etc/snort/disablesid.conf
        >  modifysid=/etc/snort/modifysid.conf
        > version=0.7.0
        > 
        > 
        > We are trying to setup a global event_filter in hopes of
        > controlling the amount of duplicated events that get fired
        > from the same src\dst per second.
        > We see a bunch of alerts being fired multiple times whithin
        > the same timestamp.
        > 
        > 
        > Steps taken:
        > edit /etc/snort/threshold.conf:
        > -------add line: event_filter gen_id 0, sig_id 0, type
        > limit, track by_src, count 1, seconds 15
        > **** We have also tried track by dst and also tried
        > individual event_filter by rule gen\sig.
        > **** We have also tried using the deprecated 'threshold
        > command'
        > 
        > 
        > edit /etc/snort/snort.conf
        > ------ verify that we have this line added: include
        > threshold.conf
        > 
        > 
        > Run snort with following command: snort -A console -q -u
        > snort -g snort -c /etc/snort/snort.conf -i eth0
        > 
        > 
        > Confirm we see the following lines in the output:
        > 
        > 
        > Apr 9 09:22:15 nth-garbage snort[398]:
        > +-----------------------[event-filter-global]----------------------------------
        > Apr 9 09:22:15 nth-garbage snort[398]: | gen-id=global
        > sig-id=global type=Limit     tracking=src count=1
        > seconds=15
        > Apr 9 09:22:15 nth-garbage snort[398]:
        > +-----------------------[event-filter-local]-----------------------------------
        > ******************************* VERY LONG LIST OF
        > EVENT-FILTER RULES HERE **************************
        > 
        > 
        > 
        > 
        > We don't know what we are doing wrong. Events of the same
        > rule get fired multiple times within the same second.
        > Examples:
        > 
        > 
        > gen 1 \ sig 2014473 --- ET INFO JAVA - Java Archive Download
        > By Vulnerable Client         
        > gen 1 \ sig 21646 ---EXPLOIT-KIT Blackhole exploit kit
        > landing page with specific structure[...]
        > 
        > 
        > Which event_filter takes priority, a Global or a local event
        > filter? 
        > 
        > 
        > Any tips would be greatly appreciated!
        > 
        > 
        > Thanks in advance.
        > 
        > ------------------------------------------------------------------------------
        > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
        > Develop your own process in accordance with the BPMN 2 standard
        > Learn Process modeling best practices with Bonita BPM through live exercises
        > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
        > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
        > _______________________________________________
        > Snort-users mailing list
        > Snort-users () lists sourceforge net
        > Go to this URL to change user options or unsubscribe:
        > https://lists.sourceforge.net/lists/listinfo/snort-users
        > Snort-users list archive:
        > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
        > 
        > Please visit http://blog.snort.org to stay current on all the latest Snort news!
        
        
        Need to have the gen and sig match like so:
        
        event_filter gen_id 1, sig_id 2014473, type limit, track
        by_src, count 1, seconds 15
        event_filter gen_id 1, sig_id 21646, type limit, track by_src,
        count 1, seconds 15
        
        James
        
        
        ------------------------------------------------------------------------------
        BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
        Develop your own process in accordance with the BPMN 2
        standard
        Learn Process modeling best practices with Bonita BPM through
        live exercises
        http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
        source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
        _______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users list archive:
        http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
        
        Please visit http://blog.snort.org to stay current on all the
        latest Snort news!


Ahh....I follow now.  I believe that you will need to specify the by_src
IP address.  Can someone on this list correct me if that's the case?

James

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: