Home page logo
/

snort logo Snort mailing list archives

Re: noobq: reading and acting on a snort alert
From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 9 May 2013 18:51:56 +0000

Here's some simple questions and ideas

1 - Do you run Oracle on your network. If not, disable the rule.
Unless you are worried that someone else might be running Oracle..
rouge like.

2 - If it's ok to have inside hosts talk to this server on 1521, you
can change the rule to be 'alert tcp !$HOME_NET any -> $HOME_NET
1521...' using pulledpork's modifysid

3 - if there's just one host talking to another host and it's
expected, you could threshold that for the specifics src or dest..
(one of the other)

4 -0 you could right a local.rules pass rule to allow one host to talk
to another host on 1521.


Only you can answer the question of it's important and then how you
want to remove the alert from happening, these are just some quick
ideas.




On Thu, May 9, 2013 at 6:29 PM, MLP SCADA <MLPSCADA () ci anchorage ak us> wrote:
I'm new to snort and struggling to understand exactly what it's trying to tell me.  I'm using a securityonion based 
snort system.

Here are the particulars:

   $HOME_NET            192.168.17.0/24
   $EXTERNAL_NET        any
   Oracle servers on two boxes, 192.168.17.11 and 192.168.17.12,
    both have instances listening on ports 1521, 1523 and 1525.

I'm getting a -lot- of alerts from the following rule and I'm trying determine if I have a problem or not.

   alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg:"ET POLICY
   Suspicious inbound to Oracle SQL port 1521"; flow:to_server; flags:S;
   threshold: type limit, count 5, seconds 60, track by_src;
   reference:url,doc.emergingthreats.net/2010936;
   classtype:bad-unknown; sid:2010936; rev:2;)

If I'm reading the rule correctly, what this rule triggers on is:

   any tcp traffic with the syn flag set from any port on any host in
   any network (including $HOME_NET networks) directed at port 1521
   on any host in any network in $HOME_NET.

The tie to Oracle in this rule is simply that the destination port is 1521, typically associated with Oracle.  Not 
from locating magic oracle tokens or signatures or whatever in the traffic itself.  (I've ignored the thresholding 
for the purposes of this question).

Is this correct?

Assuming that it is, what to do about it?

If I understand the rule correctly, then -based on this rule only- traffic with the syn flag set going to ports 1521, 
1523 or 1525 on these
two boxes should be considered false positives.  Any other hits from this rule are true positives.  Is this correct?

If so, how do I tune the system so that this rule does not make entries in the alert logs for the false positive 
case, yet will still alert on non-oracle ip's ?  And how do I do it so that the tuning is maintained between rule 
updates?

Thanks!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]