Snort mailing list archives

RE: Good Snort Signatures <-- is all in tuning

From: Josh Berry <jberry () penson com>
Date: Wed, 25 Aug 2004 09:14:58 -0500

I have been playing around with a couple perl scripts that take Active
Nessus scans and passive p0f information and reconfigure snort on the
fly.  They are very basic and I actually need help with one particular
aspect.

Basically, the perl script tails p0f output and looks for unique
networks and IP addresses and updates a database with their current OS
and running applications (using p0f in SYN/ACK mode).  I then use the
unique networks profile to populate the HOME_NET variable, and the
unique IP's/services to populate other variables (I created variables
for most of the service type rules, ie DNS_SERVERS, WIN_IIS_SERVERS,
FINGER_SERVERS, IMAP_SERVERS, etc.).  I use oinkmaster to change the
HOME_NET variable in the dns.rules file to DNS_SERVERS (and do the same
for all other rule sets).  It then takes every IP address that has been
seen responding with a SYN/ACK from port 110 and sticks them in the
POP3_SERVERS variable (and does the same for all the other variable
types).

What I would like to do is get rid of p0f and have a perl script that
does the fingerprinting, populates the database, and reconfigures
snort.  I also need to implement some sort of cache function so that
IP's and services that have already been seen are not looked up in the
database.

I am not much of a developer so if anyone is interested in helping out
let me know.

On Tue, 2004-08-24 at 21:03, Adriel T. Desautels wrote:

 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick et All,
      This is what I had suspected all along but wanted to check my
thoughts against you folks. I heard rumors about "better rules" or
"more well written rules" but have never seen such rule sets. My next
adventure, does anyone know of a utility which will configure snort
rules automatically based on a detected network configuration? If so,
please let me know. 


Adriel T. Desautels
Founder and CTO
Secure Network Operations
Embracing the future of technology, protecting you.
Office:  978-263-3829    Fax: 978-263-3313
atd () secnetops com      www.secnetops.com  

- -----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Patrick
S. Harper
Sent: Tuesday, August 24, 2004 8:31 PM
To: atd () secnetops com; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Good Snort Signatures

I believe the problem is not in the rules but in the tuning.  It is
not an hour or two process for ANY ids.  I have worked with most of
the major versions in the last 5 years and even worked as an SE for
one of the manufactures.

I find that a lot of people just install snort, crank it up, open
acid and get overwhelmed.  You have variables to define, and you need
to do all of them nit just home and external net.  Then you need to
go through and get rid of the rules that do not mean anything to you.

Patrick S. Harper | CISSP RHCT MCSE
www.internetsecurityguru.com

www.ntsug.org - Snort Users Group

"If there is no light at the end of the tunnel, get down there and
light the damn thing yourself!"
 
- -----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Adriel
T.
Desautels
Sent: Tuesday, August 24, 2004 12:57 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Good Snort Signatures

Greetings List, 
      Does anyone here know where I can find low false positive snort
rules?  The rules from snort.org are simply bunk.  They generate way
too many false positives and even false negatives during certain
types of events. I am not adverse to purchasing snort rules either, I
just need something that works.



- -------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank
Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only
$33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



- -------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank
Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only
$33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQSvzYbR5YB3MHZrzEQLQPgCfaDkmLwANLp709ruHy+qcMnMpogQAnA3X
yLmEKnRaNypwDPn/ApxaZN/V
=vo/A
-----END PGP SIGNATURE-----



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 


Josh Berry, CISSP & MCSE
Network Security Engineer
214-765-1296

--------------------------------------------------------------------
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
        -- (Former) White House Cybersecurity adviser Richard Clarke


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Snort-addon Advice requested, (continued)
- - - Re: Snort-addon Advice requested Michael McDonough (Aug 24)
    - Good Snort Signatures Adriel T. Desautels (Aug 24)
    - Re: Good Snort Signatures sekure (Aug 24)
    - Re: Good Snort Signatures Keith W. McCammon (Aug 24)
    - Re: Good Snort Signatures Alex Butcher, ISC/ISYS (Aug 25)
    - Re: Good Snort Signatures James Riden (Aug 24)
    - RE: Good Snort Signatures Patrick S. Harper (Aug 24)
    - RE: Good Snort Signatures <-- is all in tuning Adriel T. Desautels (Aug 24)
    - Re: Good Snort Signatures <-- is all in tuning Keith W. McCammon (Aug 24)
    - Re: Good Snort Signatures <-- is all in tuning Alex Butcher, ISC/ISYS (Aug 25)
    - RE: Good Snort Signatures <-- is all in tuning Josh Berry (Aug 25)
    - Re: ClamAV preprocessor William Metcalf (Aug 27)
- RE: ClamAV preprocessor Adriel T. Desautels (Aug 23)