[Snort-users] threshold.conf - event_filter dificulties.

James Lay jlay at ...13475...
Fri Apr 10 18:56:53 EDT 2015


On Fri, 2015-04-10 at 08:54 -0400, Jean-Pierre Zurbrügg wrote:
> Hello everyone,
> 
> 
> 
> Current setup:
> 
> 
> Ubuntu 12.04.5 LTS  3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10
> 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
> Snort Version 2.9.7.2 GRE (Build 177)
> Using PCRE version: 8.12 2011-01-15
> Using ZLIB version: 1.2.3.4
> Compile options: 
> ./configure --enable-sourcefire
> make
> sudo make install
> 
> 
> pulledpork was used to update rules, config:
> 
> 
> rule_url=https://www.snort.org/reg-rules/|
> snortrules-snapshot.tar.gz|<oink code>
> rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
> rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oink code>
> rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|
> open
> ignore=deleted.rules,experimental.rules,local.rules
> temp_path=/tmp
> rule_path=/etc/snort/rules/snort.rules
> local_rules=/etc/snort/rules/local.rules
> sid_msg=/etc/snort/sid-msg.map
> sid_msg_version=2
> sid_changelog=/var/log/sid_changes.log
> sorule_path=/usr/local/lib/snort_dynamicrules/
> snort_path=/usr/local/bin/snort
> config_path=/etc/snort/snort.conf
> distro=Ubuntu-10-4
> black_list=/etc/snort/rules/iplists/default.blacklist
> IPRVersion=/etc/snort/rules/iplists
> snort_control=/usr/local/bin/snort_control
>  enablesid=/etc/snort/enablesid.conf
>  dropsid=/etc/snort/dropsid.conf
>  disablesid=/etc/snort/disablesid.conf
>  modifysid=/etc/snort/modifysid.conf
> version=0.7.0
> 
> 
> We are trying to setup a global event_filter in hopes of controlling
> the amount of duplicated events that get fired from the same src\dst
> per second.
> We see a bunch of alerts being fired multiple times whithin the same
> timestamp.
> 
> 
> Steps taken:
> edit /etc/snort/threshold.conf:
> -------add line: event_filter gen_id 0, sig_id 0, type limit, track
> by_src, count 1, seconds 15
> **** We have also tried track by dst and also tried individual
> event_filter by rule gen\sig.
> **** We have also tried using the deprecated 'threshold command'
> 
> 
> edit /etc/snort/snort.conf
> ------ verify that we have this line added: include threshold.conf
> 
> 
> Run snort with following command: snort -A console -q -u snort -g
> snort -c /etc/snort/snort.conf -i eth0
> 
> 
> Confirm we see the following lines in the output:
> 
> 
> Apr 9 09:22:15 nth-garbage snort[398]:
> +-----------------------[event-filter-global]----------------------------------
> Apr 9 09:22:15 nth-garbage snort[398]: | gen-id=global sig-id=global
> type=Limit     tracking=src count=1   seconds=15
> Apr 9 09:22:15 nth-garbage snort[398]:
> +-----------------------[event-filter-local]-----------------------------------
> ******************************* VERY LONG LIST OF EVENT-FILTER RULES
> HERE **************************
> 
> 
> 
> 
> We don't know what we are doing wrong. Events of the same rule get
> fired multiple times within the same second. Examples:
> 
> 
> gen 1 \ sig 2014473 --- ET INFO JAVA - Java Archive Download By
> Vulnerable Client         
> gen 1 \ sig 21646 ---EXPLOIT-KIT Blackhole exploit kit landing page
> with specific structure[...]
> 
> 
> Which event_filter takes priority, a Global or a local event filter? 
> 
> 
> Any tips would be greatly appreciated!
> 
> 
> Thanks in advance.
> 
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


Need to have the gen and sig match like so:

event_filter gen_id 1, sig_id 2014473, type limit, track by_src, count
1, seconds 15
event_filter gen_id 1, sig_id 21646, type limit, track by_src, count 1,
seconds 15

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150410/43078715/attachment.html>


More information about the Snort-users mailing list