Hosting Provided By

Re: [Snort-users] Common false positives

From: Bennett Todd <bet(at)rahul.net>
Date: Tue Feb 25 2003 - 12:03:17 EST

2003-02-25T11:10:28 John Cherbini:
> I was simply wondering if those of you with more experience with
> snort could share some of the rules that are generally found to be
> false positives.

This depends wildly on local details; depending on whether your environment makes it feasable for you to really meaningfully populate HOME_NET, EXTERNAL_NET, *_SERVERS, *_PORTS; depending on whether the traffic patterns your snort is exposed to trigger lots of false-positives from portscan2, etc.

Another factor is the location of your sensor. Snorts listening _inside_ firewalls tend to have few "real" incidents, and most of their output is false positives; this can make them easier to tune. Snorts placed outside firewalls, showing all traffic arriving at the doorstep from the wide-open internet, are often very very noisy, with all the knob-twisters and failed attack attempts showing up. But are these "false positives"? Many would say no.

Furthermore, some sigs winge about routing network yammering that reflects the existence of running Windows systems; not everyone agrees that such devices constitute attacks:-). Some snort sensor placement intrinsically prevents the sensor from seeing such traffic; other placements don't.

A simple alert summarizing script (I append a throwaway I wrote once for this) can be helpful in deciding what to hammer at first.

-Bennett

Do you need help?

#!/usr/bin/perl -w
use strict;
use IO::File;

my $sid = IO::File->new("</etc/snort/sid-msg.map") || die; my %sid;
while (defined($_ = $sid->getline)) {

    next unless /^\d+\s*\|\|/;
    chomp;
    my ($sid, $msg, @refs) = split /\s*\|\|\s*/, $_;

    $_ = "$msg";
    $_ .= " [@refs]" if @refs;
    $sid{$sid} = $_;

}

my %alerts;

while (<>) {

next unless /^\S+\s+\[\*\*\] \[1:(\d+)/; $alerts{$1}++;
}

for (sort { $a <=> $b } keys %alerts) {

printf "%5d %5d %s\n", $_, $alerts{$_}, $sid{$_}; }

Do you need more help?

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

application/pgp-signature attachment: stored

Received on Tue Feb 25 12:36:52 2003

This message: [ Message body ]
Next message: Schmehl, Paul L: "RE: [Snort-users] Common false positives"
Previous message: Matt Kettler: "Re: [Snort-users] Common false positives"
In reply to: John Cherbini: "[Snort-users] Common false positives"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 11:49:54 EDT