[Snort-users] Segregating drop alerts

Rodgers, Anthony (DTMB) RodgersA1 at ...17120...
Tue May 26 08:38:53 EDT 2015


Use pulledpork modifysid.conf to modify the rule message to prepend it with "BLOCKED: ". That's what I used to do at $OLD_JOB.

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

-----Original Message-----
From: Anshuman Anil Deshmukh [mailto:anshuman at ...16510...] 
Sent: Tuesday, May 26, 2015 03:51
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Segregating drop alerts

Sorry missed to give an example of rule set to drop.

Here is an example-

This is a default alert rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:2;)

Same rule is configured as drop rule using pulledpork dropsid.conf which makes the alert rule to drop rule

drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:2;)

Regards,
Anshuman


-----Original Message-----
From: Anshuman Anil Deshmukh
Sent: Tuesday, May 26, 2015 11:38 AM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Segregating drop alerts

Hi,

Snort running as IDS would have rules just to alert whereas Snort as IPS would have a combination of rules with alert and drop. For rules that need to be dropped; the rule statement with "alert" needs to be changed to "drop" or "sdrop". Currently we aren't using sdrop.

1. I have some rules set to drop configured using pulledpork (dropsid.conf).

2. Now assume that I have around 10 rules configured as drop.My manager and my team is accessing the Snorby console and sees bunch of alerts in it. Currently console shows all alerts in combine. From the alerts is there a way by which they would be able to understand which rules are set to drop and which are set just to alert? I do not wish them or me to always refer the pulledpork dropsid file to know which rules are set to drop or keep a record of it in a different sheet. I know Snorby has an option where we can individually select view rule option to check if it is set to drop or alert. But this option isn't useful to me as it doesn't meet my objective.

The prime objective of this is - Just from accessing the console we should be able to differentiate which rules are set as drop and which aren't.


Regards,
Anshuman


-----Original Message-----
From: Glenn Forbes Fleming Larratt [mailto:gl89 at ...1712...]
Sent: Saturday, May 23, 2015 12:27 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Segregating drop alerts

Dear Anshuman,

Can you post an example of a "rule...set to drop"? I think we're probaby miscommunicating here.

        -g

} I mean to say the alerts for the rules that have been set to drop. We } have not set it as silent.
}
} So only some rules have been set to drop. The console should be able to } show if it is a alert for drop or just an } alert. This way we can decide what other rules we can configure for } drop.
}
} Hope this is preety clear.
}
} Regards,
} Anshuman
--
Glenn Forbes Fleming Larratt
Cornell University IT Security Office


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list