[Snort-users] Snort Configurations

Joel Esler jesler at ...1935...
Thu Sep 23 11:52:43 EDT 2010


Did you compile Snort with the following tag:

--enable-decoder-preprocessor-rules

?

On Thu, Sep 23, 2010 at 11:01 AM, Greg Lane <greglane at ...14965...> wrote:
> How would I know if I'm not using preprocessor rules?  I wouldn't be getting
> the alert if I wasn't or am I wrong in assuming that? I’m looking at my
> snort.conf file and the path to preprocessor rules is correct but I also
> found in step 8 looked like this
>
> # decoder and preprocessor event rules
> # include $PREPROC_RULE_PATH/preprocessor.rules
> # include $PREPROC_RULE_PATH/decoder.rules
> # include $PREPROC_RULE_PATH/sensitive-data.rules
>
> I then uncommented preprocessor.rules var and it still is giving me the
> alert.  I'm sorry if I'm a nuisance but I'm learning this all at once and it
> seems that it should be not alerting at this point and trying to figure out
> why.
>
> Greg Lane
> IT Manager
> Lane Enterprises
>
> Email:  greglane at ...14965...
> Phone: (228)872-2414
>
>
> -----Original Message-----
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Thursday, September 23, 2010 9:51 AM
> To: Greg Lane
> Subject: Re: [Snort-users] Snort Configurations
>
> Then you must not be using the preprocessor rules or something.  It
> depends on your compile.
>
> Go with the suppressions, they'll kill it either way.
>
> J
>
> On Thu, Sep 23, 2010 at 10:49 AM, Greg Lane <greglane at ...14965...>
> wrote:
>> I did twice.  I killed both the snort and barnyard2 processes and started
>> them again in the terminal and read barnyard2's output and the rule I
>> commented out in the preprocessor.rules file is still there.  In fact I
>> commented out all the http rules in the preprocessor.rules file and still
>> getting the alerts.  I looked in the gen-msg file and wonder if I should
>> comment those out also but they shouldn't even be getting to that point if
>> my logic is correct because the rule shouldn't be alerting.
>>
>> Greg Lane
>> IT Manager
>> Lane Enterprises
>>
>> Email:  greglane at ...14965...
>> Phone: (228)872-2414
>>
>>
>> -----Original Message-----
>> From: Joel Esler [mailto:jesler at ...1935...]
>> Sent: Thursday, September 23, 2010 9:45 AM
>> To: Greg Lane
>> Cc: Alex Tatistcheff; snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Snort Configurations
>>
>> "Or you can suppress the output in threshold.conf with something like:
>> suppress gen_id 119, sig_id 13"
>>
>>
>> Make sure you restart Snort after the changes.
>>
>> J
>>
>> On Thu, Sep 23, 2010 at 10:22 AM, Greg Lane <greglane at ...14965...>
>> wrote:
>>> I’m commenting out the rules in the preprocessor.rules file and I’m still
>>> getting the alert.  Gen_id 119  sid 19 long header.  Why is it still
>>> alerting?
>>>
>>>
>>>
>>> Greg Lane
>>>
>>> IT Manager
>>>
>>> Lane Enterprises
>>>
>>>
>>>
>>> Email:  greglane at ...14965...
>>>
>>> Phone: (228)872-2414
>>>
>>>
>>>
>>> From: alex.tatistcheff at ...11827... [mailto:alex.tatistcheff at ...11827...] On
>>> Behalf Of Alex Tatistcheff
>>> Sent: Wednesday, September 22, 2010 9:46 PM
>>> To: Greg Lane
>>> Cc: wkitty42 at ...14940...; snort-users at lists.sourceforge.net
>>>
>>> Subject: Re: [Snort-users] Snort Configurations
>>>
>>>
>>>
>>> You can suppress the alerting and not affect the normalization (the
>>> important part) of the http_inspect preprocessor by commenting out the
>> rules
>>> in the preprocessor.rules file.
>>>
>>> Or you can suppress the output in threshold.conf with something like:
>>> suppress gen_id 119, sig_id 13
>>>
>>> The first option is what I would recommend.
>>>
>>> Alex Tatistcheff
>>> alext at ...492...
>>>
>>> The most terrifying words in the English language are, "I'm from the
>>> government and I'm here to help." -Ronald Reagan
>>>
>>> On Wed, Sep 22, 2010 at 1:01 PM, Greg Lane <greglane at ...14965...>
>>> wrote:
>>>
>>> Well there are 3 types of http_inspects that I am getting mainly.
>>>  http_inspect: LONG HEADER, http_inspect: NON-RFC DEFINED CHAR,
>>> http_inspect: OVERSIZE REQUEST-URI DIRECTORY.
>>> Everyone of the sources are from inside my network.  Many of them are to
>>> amazon EC, quantserve.com(cookie related), yahoo, google, facebook, and
>>> Pandora.  So you can see that most of the traffic is legit and it isn't
>>> being triggered from outside the domain.  I'm just not sure how to cut
>> down
>>> on the number of alerts.  When I get that done I will move on to the next
>>> but I am trying to do this in steps so that I can understand everything
>> that
>>> is going on
>>>
>>> Greg Lane
>>> IT Manager
>>> Lane Enterprises
>>>
>>> Email:  greglane at ...14965...
>>> Phone: (228)872-2414
>>>
>>> -----Original Message-----
>>> From: waldo kitty [mailto:wkitty42 at ...14940...]
>>> Sent: Wednesday, September 22, 2010 1:21 PM
>>> To: snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] Snort Configurations
>>>
>>> On 9/22/2010 12:39, Greg Lane wrote:
>>>> I’m starting to learn how to tune my Snort install and it is a slow
>>>> process.  I
>>>> have alerts like crazy because I know it needs to be tuned and I
>>>> especially have
>>>> a lot of http_inspect alerts coming up. I’ve been reading and from what
> I
>>>> can
>>>> gather if you don’t have a websever you may not really need this in
>>>> operation or
>>>> am I wrong?
>>>
>>> the answer is "it depends"... it depends on if you want to monitor
>> outbound
>>> http
>>> traffic to possibly catch infestations on your network that are reporting
>> in
>>> or
>>> attacking remote http servers... you might also catch (and be able to
>>> prevent)
>>> internal machines that are being redirected to driveby sites that would
>>> (attempt
>>> to) load them with infestation materials...
>>>
>>>> If I am wrong then what is the best possible solution for me to cut
>>>> down most of the alerts which are false positives so to speak or aren’t
>>>> dangerous at all? This will probably be one of many questions concerning
>>>> configs
>>>> coming to an email box near you.
>>>
>>> false positives need to be reported to those who write those rules so
> they
>>> can
>>> be looked into and adjusted if necessary...
>>>
>>>
>>>
>>
> ----------------------------------------------------------------------------
>> --
>>> Start uncovering the many advantages of virtual appliances
>>> and start using them to simplify application deployment and
>>> accelerate your shift to cloud computing.
>>> http://p.sf.net/sfu/novell-sfdev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>>
>>
> ----------------------------------------------------------------------------
>> --
>>> Start uncovering the many advantages of virtual appliances
>>> and start using them to simplify application deployment and
>>> accelerate your shift to cloud computing.
>>> http://p.sf.net/sfu/novell-sfdev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>
>>>
>>>
>>
> ----------------------------------------------------------------------------
>> --
>>> Nokia and AT&T present the 2010 Calling All Innovators-North America
>> contest
>>> Create new apps & games for the Nokia N8 for consumers in  U.S. and
> Canada
>>> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
>> marketing
>>> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
>>> http://p.sf.net/sfu/nokia-dev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>
>




More information about the Snort-users mailing list