[Snort-users] how to handle this problem

derk van de Velde derk at ...11777...
Fri May 21 00:48:01 EDT 2004


hi,

i already use the ntop product, its great.
what do you mean by working with alerts in ntop?
and the "good place for sensors"
is there doc how to finetune rules?
i'll checkout the comercial product.

regards,
derk



-----Oorspronkelijk bericht-----
Van: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]Namens Corey Rock
Verzonden: donderdag 20 mei 2004 18:21
Aan: snort-users at lists.sourceforge.net
Onderwerp: RE: [Snort-users] how to handle this problem


Greetings!

The first most important thing you need to do is tune your rulebase to your
environment.

Not only will this make snort much more efficient, but it will reduce all
the potential 'noise' or 'false positives' you might see with the default
rule set (which is very broad, and covers a very general concept of hosts on
a network) which don't apply to your network/hosts.

Snort is a great product for many reasons, and snortalog is a pretty cool
script that can summarize your alerts files, and show you a 'top offendor'
etc...ntop (opensource) is a great tool to give you an idea of network
utilization.

You could cross reference the snort alerts with ntop (if the sensors were
all in the right spot) and verify if the alerts you see are in fact causing
a higher utilzation of the network.  Ntop will break down net utilzation by
hosts and protocols.

<begin commercial plug>

Now, sorry to plug a commercial product, and I have no affiliation with them
whatsoever (I work on the West Coast), but, if your company has $$$---you
could check out a product like "RNA" by sourcefire.  You are asking about a
better way to see the "real severe alerts"

http://sourcefire.com/products/rna.html


This product is very cool (I saw a demo @ SANS last month) and can quickly
give you an idea of anomalous traffic/behavior on your network, in many
different ways.

</end plug>

Snort is a great way to track alerts, if you tune the rulebase, and if the
alerts apply to your environment.  You still need to analyze the packets,
however, to determine if the alert is genuine.  If you don't have the time
to do this, it might be best to look at a commercial product.

Corey


>From: "derk van de Velde" <derk at ...11777...>
>To: "AJ Butcher, Information Systems and Computing"
><Alex.Butcher at ...11254...>,"snort user"
><snort-users at lists.sourceforge.net>
>Subject: RE: [Snort-users] how to handle this problem
>Date: Thu, 20 May 2004 16:17:55 +0200
>
>hi,
>
>i installed snort because some weeks ago, one machin inside our network
>attacked a lot of machines outside. so we were blocked by my isp.
>i think snort is a good product to signal thise attacks, is that correct?
>because sometimes i get many alerts aday, is snortalog a good way to track
>them?
>is there a better way to find (fast) the real severe alerts?
>
>thanks and regards,
>derk
>
>
>-----Oorspronkelijk bericht-----
>Van: AJ Butcher, Information Systems and Computing
>[mailto:Alex.Butcher at ...11254...]
>Verzonden: donderdag 20 mei 2004 15:54
>Aan: derk van de Velde; snort user
>Onderwerp: Re: [Snort-users] how to handle this problem
>
>
>
>
>--On 20 May 2004 14:54 +0200 derk van de Velde <derk at ...11777...> wrote:
>
> > hi,
> >
> > if found this in met authlog from snort
> >
> > May 20 02:19:28 pcvisie snort: [1:2307:2] WEB-PHP PayPal Storefront
> > arbitrary command execution attempt [Classification: Web Application
> > Attack] [Priority: 1]: {TCP} 10.0.3.128:4978 -> 207.46.130.110:80
> > May 20 02:19:28 pcvisie snort: [1:2307:2] WEB-PHP PayPal Storefront
> > arbitrary command execution attempt [Classification: Web Application
> > Attack] [Priority: 1]: {TCP} 10.0.3.128:4979 -> 207.46.130.110:80
> >
> > snortalog said high
> >
> > when i check the 2307 sid on snort.org, it is not clear to me how t
>handle
> > this.
>
>1) Check who the target machine (207.46.130.110) belongs to. According to
>WHOIS, it's Hotmail, so /if/ this /is/ a real attack, it's one of your
>users  (I assume, from the 10.0.0.0/8 address) attacking Hotmail.
>
>2) Verify whether the target machine is using PayPal Storefront. I would
>suggest "probably not".
>
>3) Examine the payload of the packets that triggered the alert and compare
>with the rule to determine whether the rule might be a bit too dumb, and
>could be triggered by innocuous traffic (e.g. email, web pages, image
>files).
>
> > what steps should i take
>
>If this is a real attack (I would guess not), the rest depends on your
>organisation's policy for dealing with misuse of its computer systems and
>networks. This is almost certainly a legal, rather than a technical matter.
>
> > regards,
> > derk
>
>HTH,
>Alex.
>--
>Alex Butcher: Security & Integrity, Personal Computer Systems Group
>Information Systems and Computing             GPG Key ID: F9B27DC9
>GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
>
>
>
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: Oracle 10g
>Get certified on the hottest thing ever to hit the market... Oracle 10g.
>Take an Oracle 10g class now, and we'll give you the exam FREE.
>http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee®
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list