[Snort-sigs] Snort.conf and rule file restructure

Nelson, James (CC-MIS Plans and Prog) James.Nelson at ...74...
Fri Mar 1 10:15:06 EST 2002


In my work with Snort I've found a way to keep alerts down, but it is
dependent on changing rule order to pass before alert (-o I believe),
modification of the snort.conf, AND SEVERAL modification to snort.conf, some
custom rules, and in the canned rules files.  I have tweaked and tuned my
snort configuration to the point that the alerts I do get pumped through a
syslogd filter, get bundled up into a text file, and push the info over
directly to my pager.  The problem at this point is scaling this management
discipline to tens of thousands of desktops, several thousand servers,
hundreds of NIDS tap points, etc.

In interest of ever being able to accelerate the rule updates, I thought I
would bring this up as a topic of discussion for the group.  

A)  Unusual/unexpected traffic shows an unbelievable amount of power in
detecting malicious code or activity on a network.  

B)  it is EXTREMELY difficult to say what is unusual without being able to
pull in certain environmental configuration from the machine.  Is it a
server?  Is it a workstation?  What's the machines IP address?  What's its
name?  Is it supposed to be monitoring the segment promiscuously or just
watch itself?  These are things it would be nice to have some automation
applied to.

C)  Like anti-virus, IDS engines are about as good as what they are told to
look for.  Rather than sitting down and hacking out something to address
everything I have brought up thus far.............  There needs to be a way
to make IDS engines "phone home" for updates before the fire the engine up
at system boot time and also on a polling interval.  An https, http, ftp, or
file path based method would do the trick.  Logically, the update push would
have to be defined according to system classification group (workstations,
servers, administrator stations, etc) to be extremely useful.


Case1: I have an group of administrator machines that using a tool and
nobody else is supposed to be using the tool.  I'll pick on VNC remote
control software for the purpose of example.

Case 2:  I have a Netbios service on workstations that is not supposed to be
accessed by anything but a few very specific servers.  (Netbios file sharing
on desktops is supposed to be accessed by SMS servers and desktop admins,
but nothing else in a pure client/server environment)

---------section of snort.conf---------------
HOSTNAME=mymachine
MY_IP=<some automated method of figuring out my DHCP lease address on
windows>

# known hosts that use VNC client to control desktops remotely
IGNORE_KNOWN_VNC_CLIENTS=[WWW.XXX.YYY.ZZZ/24]

# known hosts that are supposed to talk Netbios to the workstations
IGNORE_KNOWN_NETBIOS_INBOUND=[XXX.XXX.XXX.XXX,YYY.YYY.YYY.YYY]

--------end section of snort.conf -----------

Rule entry for case 1-- applied to all desktops:

alert tcp !$IGNORE_KNOWN_VNC_CLIENTS any -> $MY_IP any (msg:"$UN-Authorized
VNC Access on to $HOSTNAME $MY_IP"; flags: A+; content:"RFB 003.003";
classtype:bad-unknown; sid:9560; rev:1;)

alert tcp !$IGNORE_KNOWN_VNC_CLIENTS any -> any any (msg:"UN-Authorized VNC
Access on Network detected by $HOSTNAME"; flags: A+; content:"RFB 003.003";
classtype:bad-unknown; sid:9560; rev:1;)

Rule entry for case 2-- applied to all desktops:

alert tcp !$IGNORE_KNOWN_NETBIOS_INBOUND -> $HOME_NET 139 (msg:"Undefined
NETBIOS traffic to station $HOSTNAME"; classtype:bad-unknown; sid:9537;
rev:1;)

Statements with any are not nearly as powerful as statements with least
privilege ignore clauses when you are trying to detect and alert on the
things in a manner you can pay close attention to the alerts you receive.
False positives provide information overload and are pure poison to all IDS
systems.  

To me, IDS is a matter of telling engines what very specific things to
ignore more so than a matter of telling engines what specific patterns to
look for.  Then again, I start my email attachment anti-virus policy with
strip all attachments and my firewall policies with "deny any any log".  I
make the business owner request certain file types to be allowed to come
through if they pass the virus scanner.  I make business owners request port
openings based on business case for a request.  I'm just an IDS geek and
security guy.  I consider the state of security for computers in general
today to be relatively weak. I'm very delighted to be called backwards by
the system administrators who were responsible for building the things out
there today that I don't like.  

James

Borrowing the ideas of others is regarded as theft by some and the highest
form of flattery by others.





More information about the Snort-sigs mailing list