[Snort-users] threshold.conf - event_filter dificulties.

James Lay jlay at ...13475...
Fri Apr 10 22:29:53 EDT 2015


On Fri, 2015-04-10 at 21:13 -0400, Jean-Pierre Zurbrügg wrote:

> Hello James,  thanks for replying.
> Im not sure im following. The examples you shared are for specific
> alerts. We'd like to control all rules with one global rule.
> 
> 
> On Apr 10, 2015 6:59 PM, "James Lay" <jlay at ...13475...> wrote:
> 
>         On Fri, 2015-04-10 at 08:54 -0400, Jean-Pierre Zurbrügg
>         wrote: 
>         
>         > Hello everyone,
>         > 
>         > 
>         > Current setup:
>         > 
>         > 
>         > Ubuntu 12.04.5 LTS  3.2.0-23-generic #36-Ubuntu SMP Tue Apr
>         > 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>         > Snort Version 2.9.7.2 GRE (Build 177)
>         > Using PCRE version: 8.12 2011-01-15
>         > Using ZLIB version: 1.2.3.4
>         > Compile options: 
>         > ./configure --enable-sourcefire
>         > make
>         > sudo make install
>         > 
>         > 
>         > pulledpork was used to update rules, config:
>         > 
>         > 
>         > rule_url=https://www.snort.org/reg-rules/|
>         > snortrules-snapshot.tar.gz|<oink code>
>         > rule_url=http://labs.snort.org/feeds/ip-filter.blf|
>         > IPBLACKLIST|open
>         > rule_url=https://www.snort.org/reg-rules/|
>         > opensource.gz|<oink code>
>         > rule_url=https://rules.emergingthreatspro.com/|
>         > emerging.rules.tar.gz|open
>         > ignore=deleted.rules,experimental.rules,local.rules
>         > temp_path=/tmp
>         > rule_path=/etc/snort/rules/snort.rules
>         > local_rules=/etc/snort/rules/local.rules
>         > sid_msg=/etc/snort/sid-msg.map
>         > sid_msg_version=2
>         > sid_changelog=/var/log/sid_changes.log
>         > sorule_path=/usr/local/lib/snort_dynamicrules/
>         > snort_path=/usr/local/bin/snort
>         > config_path=/etc/snort/snort.conf
>         > distro=Ubuntu-10-4
>         > black_list=/etc/snort/rules/iplists/default.blacklist
>         > IPRVersion=/etc/snort/rules/iplists
>         > snort_control=/usr/local/bin/snort_control
>         >  enablesid=/etc/snort/enablesid.conf
>         >  dropsid=/etc/snort/dropsid.conf
>         >  disablesid=/etc/snort/disablesid.conf
>         >  modifysid=/etc/snort/modifysid.conf
>         > version=0.7.0
>         > 
>         > 
>         > We are trying to setup a global event_filter in hopes of
>         > controlling the amount of duplicated events that get fired
>         > from the same src\dst per second.
>         > We see a bunch of alerts being fired multiple times whithin
>         > the same timestamp.
>         > 
>         > 
>         > Steps taken:
>         > edit /etc/snort/threshold.conf:
>         > -------add line: event_filter gen_id 0, sig_id 0, type
>         > limit, track by_src, count 1, seconds 15
>         > **** We have also tried track by dst and also tried
>         > individual event_filter by rule gen\sig.
>         > **** We have also tried using the deprecated 'threshold
>         > command'
>         > 
>         > 
>         > edit /etc/snort/snort.conf
>         > ------ verify that we have this line added: include
>         > threshold.conf
>         > 
>         > 
>         > Run snort with following command: snort -A console -q -u
>         > snort -g snort -c /etc/snort/snort.conf -i eth0
>         > 
>         > 
>         > Confirm we see the following lines in the output:
>         > 
>         > 
>         > Apr 9 09:22:15 nth-garbage snort[398]:
>         > +-----------------------[event-filter-global]----------------------------------
>         > Apr 9 09:22:15 nth-garbage snort[398]: | gen-id=global
>         > sig-id=global type=Limit     tracking=src count=1
>         > seconds=15
>         > Apr 9 09:22:15 nth-garbage snort[398]:
>         > +-----------------------[event-filter-local]-----------------------------------
>         > ******************************* VERY LONG LIST OF
>         > EVENT-FILTER RULES HERE **************************
>         > 
>         > 
>         > 
>         > 
>         > We don't know what we are doing wrong. Events of the same
>         > rule get fired multiple times within the same second.
>         > Examples:
>         > 
>         > 
>         > gen 1 \ sig 2014473 --- ET INFO JAVA - Java Archive Download
>         > By Vulnerable Client         
>         > gen 1 \ sig 21646 ---EXPLOIT-KIT Blackhole exploit kit
>         > landing page with specific structure[...]
>         > 
>         > 
>         > Which event_filter takes priority, a Global or a local event
>         > filter? 
>         > 
>         > 
>         > Any tips would be greatly appreciated!
>         > 
>         > 
>         > Thanks in advance.
>         > 
>         > ------------------------------------------------------------------------------
>         > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>         > Develop your own process in accordance with the BPMN 2 standard
>         > Learn Process modeling best practices with Bonita BPM through live exercises
>         > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
>         > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>         > _______________________________________________
>         > Snort-users mailing list
>         > Snort-users at lists.sourceforge.net
>         > Go to this URL to change user options or unsubscribe:
>         > https://lists.sourceforge.net/lists/listinfo/snort-users
>         > Snort-users list archive:
>         > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>         > 
>         > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>         
>         
>         Need to have the gen and sig match like so:
>         
>         event_filter gen_id 1, sig_id 2014473, type limit, track
>         by_src, count 1, seconds 15
>         event_filter gen_id 1, sig_id 21646, type limit, track by_src,
>         count 1, seconds 15
>         
>         James
>         
>         
>         ------------------------------------------------------------------------------
>         BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>         Develop your own process in accordance with the BPMN 2
>         standard
>         Learn Process modeling best practices with Bonita BPM through
>         live exercises
>         http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
>         source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>         _______________________________________________
>         Snort-users mailing list
>         Snort-users at lists.sourceforge.net
>         Go to this URL to change user options or unsubscribe:
>         https://lists.sourceforge.net/lists/listinfo/snort-users
>         Snort-users list archive:
>         http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>         
>         Please visit http://blog.snort.org to stay current on all the
>         latest Snort news!

Ahh....I follow now.  I believe that you will need to specify the by_src
IP address.  Can someone on this list correct me if that's the case?

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150410/b4bef153/attachment.html>


More information about the Snort-users mailing list