[Snort-users] Feedback on rule testing
Rob MacGregor
rob.macgregor at ...11827...
Fri Dec 20 15:04:57 EST 2013
On Fri, Dec 20, 2013 at 5:12 PM, James Dickenson <jdickenson at ...11827...> wrote:
> Hey snort users,
>
> I've been talking with some co-workers recently about our in house rule
> development and about ways we could possibly improve it. I was wondering if
> any of you on the snort user list could give us your experience in regards
> to the process of creating rule you use at where you work or that you submit
> to ET or VRT. How do you sanity check the rules before you push them to
> your sensors? Do you have a formal lifecycle process and what does that
> entail? Do you automate the process somewhat with scripting or software and
> if so how?
>
> Your suggestions and comments are much appreciated,
We run things through 3 automatic steps before we deploy them:
1) Syntax checking (dumbpig and similar)
2) Run through snort with -T to ensure it compiles
3) Deploy to a testing sensor (with live traffic) for 5 minutes and
check the volume of alerts - anything above a defined volume is
automatically rejected and whatever happens the submitter is provided
the flows that hit if any did (this can be over-ridden by an admin if
it turns out they're all true positives and our network is hosed)
We're looking at the option of providing a pcap of known malicious
traffic to confirm the signature fires on the traffic - haven't got
there yet though.
After a signature has deployed we track the true/false positive ratio
(according to the analyst interface), anything above a certain FP
ratio or volume gets flagged automatically for attention, there are
other limits for simply removing the signature. Every 6 months they
have to be reviewed to confirm they should remain deployed (ok,
there's an assumption it's actually reviewed and that the author
hasn't just claimed they have) - that's still a manual process though.
This has, overall, kept our in house signatures to a fairly high
standard. There are still issues, but mandatory training, having
experienced staff check other's signatures and using the ban-hammer on
repeat offenders means that those are minimised these days. Nobody
wants to be the one person in the team who isn't allowed to write
signatures ;)
--
Please keep list traffic on the list.
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche
More information about the Snort-users
mailing list