LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   using a bpf filter to control the amount of alerts I get in snort. (https://www.linuxquestions.org/questions/linux-security-4/using-a-bpf-filter-to-control-the-amount-of-alerts-i-get-in-snort-895534/)

mhollis 08-04-2011 08:35 AM

using a bpf filter to control the amount of alerts I get in snort.
 
I finally got snort up and running but am getting about 90,000 alerts which is impossible to go through. Most of these alerts are known good traffic. I was told I could help eliminate false positives by creating a bpf filter, so I did that. Now I try to run snort using a bpf filter and snort won't start. If I start snort not using a bpf filter it works fine, but of course i get thousands of alerts. This is the syntax I am using to start snort using a bpf filter. is this correct?

administrator@Snort:~/Downloads/snort-2.9.0.5$ sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 snort -F /usr/local/snort/etc/bpf.conf

I get this error:
ERROR: Can't set DAQ BPF filter to 'snort' (pcap_daq_set_filter: pcap_compile: syntax error)!
Fatal Error, Quitting

Snort will run if I take out "snort -F /usr/local/snort/etc/bpf.conf"

Any assistance would be greatly appreciated. Thanks.

unixfool 08-04-2011 09:09 AM

Some questions:

1. What version of Snort are you running?

2. What signature/alerts are you deeming false positive and want to not see?

3. Have you Googled for that exact error?

Some suggestions:

1. Instead of relying on BPF, I think it would be better to utilize thresholding (thresholding.conf). When you add BPF filters, you're asking Snort to not show ANY alerts...sooner or later, you might regret this, especially if something malicious is going on (you won't see an attack). At least with thresholding, you can throttle down the noisy alerts but still not miss them.

2. Would be nice if you posted up your bpf.conf file so it can be checked for errors. Are you using the following syntax in your bpf.conf (example below is from here):

# cat /etc/snort/bpf_file
(vlan &&
(not host 172.16.234.34) &&
(not host 172.16.234.35) &&
(not host 172.16.234.36) &&
(not host 172.16.234.37) &&
(not host 192.168.41.49) &&
(not host 192.168.41.52) &&
(not host 192.168.41.25) &&
(not host 192.168.41.28)
)

3. Check your syslog for any errors that may give an indication of what's going on with Snort and your bpf.conf file.

unixfool 08-04-2011 09:21 AM

OK, I might have found your error. You need to test it.

You're trying to run the following:

sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 snort -F /usr/local/snort/etc/bpf.conf

You've another 'snort' in your command line. Take out the one before the "-F". It should then read like:

sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 -F /usr/local/snort/etc/bpf.conf

mhollis 08-04-2011 09:35 AM

BPF Filter
 
I am using snort-2.9.0.5. I am using snortreport to view the alerts.

If I run snort for only 5 minutes I will get about 3000 alerts. Two signatures that are giving me the most problems are the following:

SHELLCODE x86 inc ecx NOOP [sid 1394] - We have applications that are hosted that we access over port 81, everyone at the office uses these apps and snort throws alerts. the source and destination are known addresses and this is known good traffic

ICMP Echo Reply [sid 408]- I have a network monitoring software on a server that monitors not just internal but external networks. It using ICMP and snort throws an alert for these.

As far as a bpf filter goes, should I not use this? Should I be modifying the threshold.conf instead? Thanks.

unixfool 08-04-2011 09:49 AM

Quote:

Originally Posted by mhollis (Post 4433643)
I am using snort-2.9.0.5. I am using snortreport to view the alerts.

If I run snort for only 5 minutes I will get about 3000 alerts. Two signatures that are giving me the most problems are the following:

SHELLCODE x86 inc ecx NOOP [sid 1394] - We have applications that are hosted that we access over port 81, everyone at the office uses these apps and snort throws alerts. the source and destination are known addresses and this is known good traffic

ICMP Echo Reply [sid 408]- I have a network monitoring software on a server that monitors not just internal but external networks. It using ICMP and snort throws an alert for these.

As far as a bpf filter goes, should I not use this? Should I be modifying the threshold.conf instead? Thanks.

That particular shellcode alert is VERY noisy and is notorious for generating large amounts of false positives...you might as well disable the rule itself (find the rule and comment it out).

For SID 408, that's a valid alarm. It is not a false positive, as it is alerting as designed. If you don't want to see these, by all means, add the hosts to bpf.conf (or threshold.conf).

The reason I suggested threshold.conf instead of using bpf is because, at least with threshold.conf, you'll still get some alerts (say, 10 instead of 3000, for example). If you just outright exclude IPs, you'll NEVER see anything from them, ever. My understanding is that when you use bpf.conf, you're telling the sensor to not capture data (granted, you should be able to get a bit granular with bpf). In using thresholding instead of bpf, you're ensuring that you won't get overwhelmed by large numbers of alerts but will still not be outright ignoring traffic. I'd say use bpf when you're absolutely sure that it won't present a situation where you get compromised and you won't see the malicious traffic. It is mostly used as a last resort, in my experience.

You can still use BPF...just follow the instructions in my last post.

mhollis 08-04-2011 09:59 AM

Ok so for SID 408, I am getting these alerts do to my network monitoring software. I am monitoring alot of devices on alot of different networks, would I have to specify the IP of every device in the threshold.conf?

unixfool 08-04-2011 10:40 AM

I'd gather up all the IPs involved into a list, then arrange the list to where it can be sorted by IPs. You should get a good understanding of the ranges involved, then add the ranges to threshold.conf.

Or, you can just threshold your whole company's network range for that particular SID.

Your call.

*** EDIT: ***

I just did some research and found that if you add:

threshold gen_id 1, sig_id 408, type limit, track by_src, count 1, seconds 60

to threshold.conf, Snort will generate one alert per 60 seconds for each source IP causing SHELLCODE x86 inc ecx NOOP alerts.

In this case, you wouldn't need to provide IPs...it'll threshold each IP that triggers the signature.

mhollis 08-04-2011 12:52 PM

Thanks. I am getting less alerts already. One last question. I am also getting hundreds of alerts from the following signature:

DNS SPOOF query response with TTL of 1 min. and no authority

The source IP is 4.2.2.2 and the Destination IP is my Internal DNS servers. Now I do use 4.2.2.2 are my DNS forwarders so I believe this is why I am seeing these alerts. Should I just threshold my DNS servers from that SID to stops the alerts? Thanks for all you help so far. I really appreciate it.

unixfool 08-04-2011 01:00 PM

Quote:

Originally Posted by mhollis (Post 4433805)
Thanks. I am getting less alerts already. One last question. I am also getting hundreds of alerts from the following signature:

DNS SPOOF query response with TTL of 1 min. and no authority

The source IP is 4.2.2.2 and the Destination IP is my Internal DNS servers. Now I do use 4.2.2.2 are my DNS forwarders so I believe this is why I am seeing these alerts. Should I just threshold my DNS servers from that SID to stops the alerts? Thanks for all you help so far. I really appreciate it.

Yeah, it'll work for that rule also.


All times are GMT -5. The time now is 02:13 AM.