[Snort-sigs] Writing rules that produce less alerting noise

Nelson, James (CC-MIS Plans and Prog) James.Nelson at ...74...
Mon Mar 18 09:54:16 EST 2002


On certain rules, rather than doing alert calls in the rules files for every
packet, why not do activate rules that detects then logs without alerting
again?  

Example 1)  VNC remote control sessions
Example 2)  PC-Anywhere remote control sessions
Example 3)  Telnet sessions on networks that have a policy against telnet
Example 4)  PPTP tunnel with null encryption
Example 5)  IKE jabber for IPSEC specifying null encryption

Why would anyone want to this do?  It would reduce the alert messages for a
traffic pattern that is repeated often inside of a session from the number
of packets showing the pattern to the number of SESSIONS showing the
pattern.

Here's where this idea gets tricky:  someone uses a http keep alive session
and tries 10 different attacks.  Would doing activate rules would catch the
first attack and alert, but then suppress all nine other attacks being
tried?  On one hand, it is nice to have all bad stuff from one TCP session
to match one alert message, but on the other hand, is missing alert messages
about the other nine alerts inside the logged session a false negative?  (I
believe so)

It is my experience that alerting too much causes administrators to ignore
the data overloading them.  This is just my .02 worth on how to write rules
that produces significantly less alert noise but still seem to provide the
required level of detail for most organizations.

James




More information about the Snort-sigs mailing list