[Snort-users] only the "important stuff"

Jason Haar Jason.Haar at ...294...
Tue Oct 26 12:05:03 EDT 2004


On Tue, Oct 26, 2004 at 09:34:56AM -0700, Steven Crandell wrote:
> This morning the president of the co. has asked that he -not- receive
> the day to day alerts and would only like to receive alerts on
> "successful" intrusions.
> 
> Are there certain rules that would never be triggered unless someone
> actually gets into a monitored system?  Or anything along those lines?

It can be done - but it depends how well you can define/control the
activities of "monitored systems".

What we do here is have Snort monitoring our DMZes and WAN links - which
generates tonnes of logs (via the "alert tcp ..." rules). As far as Internet
attacks go, there is nothing you can do about them (i.e. you don't control
the src IP), so - like your president wants - there's no point in converting
those logs into alerts (meaning notifying someone).

However, if Snort logs an event *from* an internal address - that's a
different matter. Typically it means you have a trojan-infected Windows box
on your WAN - and you can do something about that - so convert it into an
alert.

Similarly, DMZ hosts are well defined as far as initiating outgoing traffic
goes: they can be DNS/SMTP/whatever servers - but besides such traffic (plus
exceptions such as AV/Windows/up2date/yum updates), they shouldn't be seen
to be initiating any other outgoing connections. So write some Snort rules
that trigger whenever that occurs.

We do that here, and it works plenty-fine :-) We know it works as we have
issues with certain IS SysAdmins logging into the consoles of DMZ servers
and going out on the Internet to get some package/whatever - and alerts get
generated all over the place ;-) So the theory is that if someone broke into
one of our DMZ hosts, the moment they *attempt* to make an outgoing
connection (say to download a rootkit or the likes), the NIDS will alert -
irrespective of whether or not the connection matches a standard Snort rule.

Effectively its anomoly detection instead of pattern-matching. Usually
anomoly detection is hard to do (suffers from FP), but in a well defined and
controlled environment like DMZs - it can work. It's all about defining your
scope WRT IDS and alerting to match your environment.


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list