Home page logo

snort logo Snort mailing list archives

noobq: reading and acting on a snort alert
From: MLP SCADA <MLPSCADA () ci anchorage ak us>
Date: Thu, 9 May 2013 10:29:53 -0800

I'm new to snort and struggling to understand exactly what it's trying to tell me.  I'm using a securityonion based 
snort system.

Here are the particulars:

   $EXTERNAL_NET        any
   Oracle servers on two boxes, and, 
    both have instances listening on ports 1521, 1523 and 1525.

I'm getting a -lot- of alerts from the following rule and I'm trying determine if I have a problem or not.

   alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg:"ET POLICY 
   Suspicious inbound to Oracle SQL port 1521"; flow:to_server; flags:S;
   threshold: type limit, count 5, seconds 60, track by_src; 
   classtype:bad-unknown; sid:2010936; rev:2;) 

If I'm reading the rule correctly, what this rule triggers on is:

   any tcp traffic with the syn flag set from any port on any host in 
   any network (including $HOME_NET networks) directed at port 1521 
   on any host in any network in $HOME_NET.

The tie to Oracle in this rule is simply that the destination port is 1521, typically associated with Oracle.  Not from 
locating magic oracle tokens or signatures or whatever in the traffic itself.  (I've ignored the thresholding for the 
purposes of this question).

Is this correct?

Assuming that it is, what to do about it?  

If I understand the rule correctly, then -based on this rule only- traffic with the syn flag set going to ports 1521, 
1523 or 1525 on these 
two boxes should be considered false positives.  Any other hits from this rule are true positives.  Is this correct?

If so, how do I tune the system so that this rule does not make entries in the alert logs for the false positive case, 
yet will still alert on non-oracle ip's ?  And how do I do it so that the tuning is maintained between rule updates?


Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]