Saturday, March 7, 2015

Tuning Snort - detection_filter with event_filter


Snort has a few options which can be used to tune its performance and or reduce on the number of alerts generated. Of the methods available, we will look at threshold, suppress, detection_filters and using detection_filter with event_filters.

In this post we will combine detection_filter with event_filter.
It is important to note that event_filter is the recommended method of thresholding.

This lab consists of the following:
    Windows 2003 - Telnet Server - IP: 10.0.0.2003
    Kali Linux - Running telnet client and snort, 2.9.2.2 - IP:10.0.0.1

For this we will start off with a rule that is only configured for detection_filter. If you missed the previous post on using detection_filter, you can click here to get that info and then come back to this one.

This rule looks for greater than 6 alerts before it starts to fire. Basically, if we do 10 failed logons, it will ignore the first 6 then alert on everything else thereafter.

Let's test that
Let's perform our failed logon











So our logon failed ...  let's see what snort sees

Looks like we got 4 alerts.

Let's verify the performance data

Looks good. There were 10 checks, However only 4 were matched and 4 alerts were generated.

Now if we had 100 or more alerts generated after the first 6, this would have been a very noisy deployment. One which would make any Intrusion Analyst cringe.

To reduce this noise let's add the event_filter option.
Remember, event_filter replaces threshold, so to configure this we modify the threshold.conf file which is found in /etc/snort/

Below shows the entry which was echo'd into thresholds.conf file. If you need guidance on on how the threshold command is used click here.

Running snort again and the failed logins we see ....

As seen above, snort generated 1 alert.

Let's see what the performance data shows

...a thing of beauty. So we had 10 packets which were checked. From that 4 matched. However, we only generated 1 alert.


Hope you enjoyed this post. See threshold, suppress, detection_filters and using detection_filter with event_filters for further tuning tips.


References:
http://manual.snort.org/node20.html
http://manual.snort.org/node212.html
http://manual.snort.org/node35.html
https://technet.microsoft.com/en-us/library/cc772789%28v=ws.10%29.aspx
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)