Saturday, March 7, 2015

Tuning Snort - Detection_filter

Snort has a few options which can be used to tune its performance and or reduce on the number of alerts generated. Of the methods available, we will look at threshold, suppress, detection_filters and using detection_filter with event_filters.
In this post we will look at tuning via detection_filters in Snort Version 2.9.2.2.

This lab consists of the following:
    Windows 2003 - Telnet Server - IP: 10.0.0.2
    Kali Linux - Running telnet client and snort, 2.9.2.2 - IP:10.0.0.1


According to manual.snort.org "detection_filter defines a rate which must be exceeded by a source or destination host before a rule can generate an event". For this we will try to do 10 failed logins within 60 seconds.


As always let's see what the rule looks like. This rule is a basic rule without the detection filter. The idea is to see how the rule operates before we add the detection filter.


Now let's produce our failed logon











Looks good.

Let's see what snort generated



Looks good, we have 10 alerts.

Now let's see what the performance data shows.

Looks good again. We have 10 Checks, 10 Matches and 10 Alerts.


Let's try to reduce some of this noise

This time the rule looks for 6 matches within 60 seconds and then alerts on everything else. So if we have 10 failed logons within 60 seconds, the first 6 would be ignored and the last 4 would be alerted on.

Let's verify this.
Assume that we generated the 10 failed logons again


Looks like we got 4 alerts.

As always let validate this. Looking at the performance data we see ....

From the above we see we had 10 Checks. However, there were only 4 matches and thus 4 alerts.

The above produced 4 alerts, thus we should consider what would happen in the case there were actually more than 10 failed logons.

To address the above concern with too many messages, our last post in this series will be based on using event_filter with detection_filter.

Another important point to note is that unlike, threshold or suppress which are post detection activities, detection_filter is the last step during the detection phase and not a step done in the post detection phase.


Hope you enjoyed this post. See
threshold, suppress, detection_filters and using detection_filter with event_filters for further tuning tips.


References:
http://manual.snort.org/node20.html
http://manual.snort.org/node212.html
http://manual.snort.org/node35.html
https://technet.microsoft.com/en-us/library/cc772789%28v=ws.10%29.aspx


No comments:

Post a Comment