[Snort-users] how to handle this problem

Corey Rock snort_sigs at ...125...
Thu May 20 09:22:05 EDT 2004


The first most important thing you need to do is tune your rulebase to your 

Not only will this make snort much more efficient, but it will reduce all 
the potential 'noise' or 'false positives' you might see with the default 
rule set (which is very broad, and covers a very general concept of hosts on 
a network) which don't apply to your network/hosts.

Snort is a great product for many reasons, and snortalog is a pretty cool 
script that can summarize your alerts files, and show you a 'top offendor' 
etc...ntop (opensource) is a great tool to give you an idea of network 

You could cross reference the snort alerts with ntop (if the sensors were 
all in the right spot) and verify if the alerts you see are in fact causing 
a higher utilzation of the network.  Ntop will break down net utilzation by 
hosts and protocols.

<begin commercial plug>

Now, sorry to plug a commercial product, and I have no affiliation with them 
whatsoever (I work on the West Coast), but, if your company has $$$---you 
could check out a product like "RNA" by sourcefire.  You are asking about a 
better way to see the "real severe alerts"


This product is very cool (I saw a demo @ SANS last month) and can quickly 
give you an idea of anomalous traffic/behavior on your network, in many 
different ways.

</end plug>

Snort is a great way to track alerts, if you tune the rulebase, and if the 
alerts apply to your environment.  You still need to analyze the packets, 
however, to determine if the alert is genuine.  If you don't have the time 
to do this, it might be best to look at a commercial product.


>From: "derk van de Velde" <derk at ...11777...>
>To: "AJ Butcher, Information Systems and Computing" 
><Alex.Butcher at ...11254...>,"snort user" 
><snort-users at lists.sourceforge.net>
>Subject: RE: [Snort-users] how to handle this problem
>Date: Thu, 20 May 2004 16:17:55 +0200
>i installed snort because some weeks ago, one machin inside our network
>attacked a lot of machines outside. so we were blocked by my isp.
>i think snort is a good product to signal thise attacks, is that correct?
>because sometimes i get many alerts aday, is snortalog a good way to track
>is there a better way to find (fast) the real severe alerts?
>thanks and regards,
>-----Oorspronkelijk bericht-----
>Van: AJ Butcher, Information Systems and Computing
>[mailto:Alex.Butcher at ...11254...]
>Verzonden: donderdag 20 mei 2004 15:54
>Aan: derk van de Velde; snort user
>Onderwerp: Re: [Snort-users] how to handle this problem
>--On 20 May 2004 14:54 +0200 derk van de Velde <derk at ...11777...> wrote:
> > hi,
> >
> > if found this in met authlog from snort
> >
> > May 20 02:19:28 pcvisie snort: [1:2307:2] WEB-PHP PayPal Storefront
> > arbitrary command execution attempt [Classification: Web Application
> > Attack] [Priority: 1]: {TCP} ->
> > May 20 02:19:28 pcvisie snort: [1:2307:2] WEB-PHP PayPal Storefront
> > arbitrary command execution attempt [Classification: Web Application
> > Attack] [Priority: 1]: {TCP} ->
> >
> > snortalog said high
> >
> > when i check the 2307 sid on snort.org, it is not clear to me how t 
> > this.
>1) Check who the target machine ( belongs to. According to
>WHOIS, it's Hotmail, so /if/ this /is/ a real attack, it's one of your
>users  (I assume, from the address) attacking Hotmail.
>2) Verify whether the target machine is using PayPal Storefront. I would
>suggest "probably not".
>3) Examine the payload of the packets that triggered the alert and compare
>with the rule to determine whether the rule might be a bit too dumb, and
>could be triggered by innocuous traffic (e.g. email, web pages, image
> > what steps should i take
>If this is a real attack (I would guess not), the rest depends on your
>organisation's policy for dealing with misuse of its computer systems and
>networks. This is almost certainly a legal, rather than a technical matter.
> > regards,
> > derk
>Alex Butcher: Security & Integrity, Personal Computer Systems Group
>Information Systems and Computing             GPG Key ID: F9B27DC9
>GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
>This SF.Net email is sponsored by: Oracle 10g
>Get certified on the hottest thing ever to hit the market... Oracle 10g.
>Take an Oracle 10g class now, and we'll give you the exam FREE.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

Is your PC infected? Get a FREE online computer virus scan from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

More information about the Snort-users mailing list