Snort has a few options which can be used to tune its performance and or reduce on the number of alerts generated. Of the methods available, we will look at threshold, suppress, detection_filters and using detection_filter with event_filters.
In this post we will look at tuning via detection_filters in Snort Version 220.127.116.11.
This lab consists of the following:
Windows 2003 - Telnet Server - IP: 10.0.0.2003
Kali Linux - Running telnet client and snort, 18.104.22.168 - IP:10.0.0.1
According to manual.snort.org "detection_filter defines a rate which must be exceeded by a source or destination host before a rule can generate an event". For this we will try to do 10 failed logins within 60 seconds.
As always let's see what the rule looks like. This rule is a basic rule without the detection filter. The idea is to see how the rule operates before we add the detection filter.
Now let's produce our failed logon
Let's see what snort generated
Looks good, we have 10 alerts.
Now let's see what the performance data shows.
Looks good again. We have 10 Checks, 10 Matches and 10 Alerts.
Let's try to reduce some of this noise
This time the rule looks for 6 matches within 60 seconds and then alerts on everything else. So if we have 10 failed logons within 60 seconds, the first 6 would be ignored and the last 4 would be alerted on.
Let's verify this.
Assume that we generated the 10 failed logons again
Looks like we got 4 alerts.
As always let validate this. Looking at the performance data we see ....
From the above we see we had 10 Checks. However, there were only 4 matches and thus 4 alerts.
The above produced 4 alerts, thus we should consider what would happen in the case there were actually more than 10 failed logons.
To address the above concern with too many messages, our last post in this series will be based on using event_filter with detection_filter.
Another important point to note is that unlike, threshold or suppress which are post detection activities, detection_filter is the last step during the detection phase and not a step done in the post detection phase.
Hope you enjoyed this post. See threshold, suppress, detection_filters and using detection_filter with event_filters for further tuning tips.