[Snort-users] snort not alerting on same ip ssh attack after restart

John Devine john.devine at ...17485...
Fri Apr 8 15:42:52 EDT 2016


For some reason I did not receive this reply in my Inbox I just happened to be
browsing the archives for answers and found a reply to my email I just sent so
I am copying the response here. I will answer those 5 questions

what IPs are you testing from?
10.31.30.105; 10.31.30.106; 10.31.30.107

which one works and which does not?
every IP I have tried works but only once. I could be firing the mock ssh
'attack' from any IP and it will alert properly but only once every 12 hours
or so, not sure about the exact time limit.
To clarify on the rules: I am using all the 'emerging' rules.
Here is one line from my config: (include $RULE_PATH/emerging-misc.rules)


what is the IP of your snort box?
10.31.40.20

what are your HOME_NET and EXTERNAL_NET values?
var HOME_NET [10.31.2.78,10.31.2.79,172.17.0.0/24,192.168.11.0/24,192.168.50.15,127.0.0.1]
var EXTERNAL_NET !$HOME_NET

My hunch is that there is a specification in some specific rule which is overriding
any global filter I have in place causing the alerts to stop firing after one attack.
Unfortunately, modifying that specific rule is not an option for me as I update the rules
automatically and don't customize any of them so that would not be a long term fix.
I foudn the rule in question in emerging-scan.rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan";
flags:S,12; threshold: type both, track by_src, count 5, seconds 120;
reference:url,en.wikipedia.org/wiki/Brute_force_attack;
reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:19;)

as you can see, it is 5 attempts in 2 minutes. That generates this alert from snort:
[**] [1:2001219:19] ET SCAN Potential SSH Scan [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/07-17:52:05.665590 10.31.30.105:50682 -> 10.31.40.20:22
TCP TTL:63 TOS:0x0 ID:60881 IpLen:20 DgmLen:60 DF
******S* Seq: 0xD2D2B099  Ack: 0x0  Win: 0x7210  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4873544 0 NOP WS: 7
[Xref => http://doc.emergingthreats.net/2001219][Xref => (removed hyperlink)]

This still does not explain where the time limit is coming from. I cannot get snort
to generate this same alert again for several hours.




On 04/08/2016 02:06 PM, John Devine wrote:
> Hi all,
>
> I am testing alerts on snort 2.9.2.2 on a box running debian by using a mock ssh
> attack to trigger one of snort's default rules. The rule is generated after 5

i'm not aware of snort having any "default rules"... at least not by that type
of naming... which rule are you talking about?

> ssh attempts are made within 60 seconds. I am using snort as-is; I have created
> no custom rules. I can reproduce this about once a day but after a reboot of the
> box or restart of snort it will not generate an alert after using the same mock
> ssh attack even when I 'attack' it from a different IP. My guess is that there

what IPs are you testing from?
which one works and which does not?
what is the IP of your snort box?
what are your HOME_NET and EXTERNAL_NET values?

> is some default local event filter for a specific rule that prevents the alert
> from generating again within a certain timeframe. I tried creating a global
> event filter (event_filter gen_id 0, sig_id 0, type both, track by_src, count
> -1, seconds 1) in the hope of circumventing all time limits and thresholds that
> could be preventing snort from alerting. Is there a way to disable any default
> filters that are preventing snort from generating multiples of the same alerts?

no... not without rewriting the rule... in your case, it would basically mean
copying that rule to your local.rules file, modifying it as needed, making sure
to change the SID number (very important) and commenting out the original rule
in the original .rules file...

> If that is even the problem. Essentially, I want snort to be able to generate
> the same alert every time it happens which is currently does not.

post your answers to the above five questions to the list and let's see what we
can do :)

--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160408/98ebf3da/attachment.html>


More information about the Snort-users mailing list