mailing list archives
noobq: reading and acting on a snort alert
From: MLP SCADA <MLPSCADA () ci anchorage ak us>
Date: Thu, 9 May 2013 10:29:53 -0800
I'm new to snort and struggling to understand exactly what it's trying to tell me. I'm using a securityonion based
Here are the particulars:
Oracle servers on two boxes, 192.168.17.11 and 192.168.17.12,
both have instances listening on ports 1521, 1523 and 1525.
I'm getting a -lot- of alerts from the following rule and I'm trying determine if I have a problem or not.
alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg:"ET POLICY
Suspicious inbound to Oracle SQL port 1521"; flow:to_server; flags:S;
threshold: type limit, count 5, seconds 60, track by_src;
classtype:bad-unknown; sid:2010936; rev:2;)
If I'm reading the rule correctly, what this rule triggers on is:
any tcp traffic with the syn flag set from any port on any host in
any network (including $HOME_NET networks) directed at port 1521
on any host in any network in $HOME_NET.
The tie to Oracle in this rule is simply that the destination port is 1521, typically associated with Oracle. Not from
locating magic oracle tokens or signatures or whatever in the traffic itself. (I've ignored the thresholding for the
purposes of this question).
Is this correct?
Assuming that it is, what to do about it?
If I understand the rule correctly, then -based on this rule only- traffic with the syn flag set going to ports 1521,
1523 or 1525 on these
two boxes should be considered false positives. Any other hits from this rule are true positives. Is this correct?
If so, how do I tune the system so that this rule does not make entries in the alert logs for the false positive case,
yet will still alert on non-oracle ip's ? And how do I do it so that the tuning is maintained between rule updates?
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Please visit http://blog.snort.org to stay current on all the latest Snort news!
- noobq: reading and acting on a snort alert MLP SCADA (May 09)