LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-04-2011, 08:35 AM   #1
mhollis
LQ Newbie
 
Registered: Aug 2011
Posts: 10

Rep: Reputation: Disabled
using a bpf filter to control the amount of alerts I get in snort.


I finally got snort up and running but am getting about 90,000 alerts which is impossible to go through. Most of these alerts are known good traffic. I was told I could help eliminate false positives by creating a bpf filter, so I did that. Now I try to run snort using a bpf filter and snort won't start. If I start snort not using a bpf filter it works fine, but of course i get thousands of alerts. This is the syntax I am using to start snort using a bpf filter. is this correct?

administrator@Snort:~/Downloads/snort-2.9.0.5$ sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 snort -F /usr/local/snort/etc/bpf.conf

I get this error:
ERROR: Can't set DAQ BPF filter to 'snort' (pcap_daq_set_filter: pcap_compile: syntax error)!
Fatal Error, Quitting

Snort will run if I take out "snort -F /usr/local/snort/etc/bpf.conf"

Any assistance would be greatly appreciated. Thanks.
 
Old 08-04-2011, 09:09 AM   #2
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Some questions:

1. What version of Snort are you running?

2. What signature/alerts are you deeming false positive and want to not see?

3. Have you Googled for that exact error?

Some suggestions:

1. Instead of relying on BPF, I think it would be better to utilize thresholding (thresholding.conf). When you add BPF filters, you're asking Snort to not show ANY alerts...sooner or later, you might regret this, especially if something malicious is going on (you won't see an attack). At least with thresholding, you can throttle down the noisy alerts but still not miss them.

2. Would be nice if you posted up your bpf.conf file so it can be checked for errors. Are you using the following syntax in your bpf.conf (example below is from here):

# cat /etc/snort/bpf_file
(vlan &&
(not host 172.16.234.34) &&
(not host 172.16.234.35) &&
(not host 172.16.234.36) &&
(not host 172.16.234.37) &&
(not host 192.168.41.49) &&
(not host 192.168.41.52) &&
(not host 192.168.41.25) &&
(not host 192.168.41.28)
)

3. Check your syslog for any errors that may give an indication of what's going on with Snort and your bpf.conf file.

Last edited by unixfool; 08-04-2011 at 09:18 AM. Reason: having issues with FF and this site :(
 
Old 08-04-2011, 09:21 AM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
OK, I might have found your error. You need to test it.

You're trying to run the following:

sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 snort -F /usr/local/snort/etc/bpf.conf

You've another 'snort' in your command line. Take out the one before the "-F". It should then read like:

sudo /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 -F /usr/local/snort/etc/bpf.conf
 
Old 08-04-2011, 09:35 AM   #4
mhollis
LQ Newbie
 
Registered: Aug 2011
Posts: 10

Original Poster
Rep: Reputation: Disabled
BPF Filter

I am using snort-2.9.0.5. I am using snortreport to view the alerts.

If I run snort for only 5 minutes I will get about 3000 alerts. Two signatures that are giving me the most problems are the following:

SHELLCODE x86 inc ecx NOOP [sid 1394] - We have applications that are hosted that we access over port 81, everyone at the office uses these apps and snort throws alerts. the source and destination are known addresses and this is known good traffic

ICMP Echo Reply [sid 408]- I have a network monitoring software on a server that monitors not just internal but external networks. It using ICMP and snort throws an alert for these.

As far as a bpf filter goes, should I not use this? Should I be modifying the threshold.conf instead? Thanks.
 
Old 08-04-2011, 09:49 AM   #5
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by mhollis View Post
I am using snort-2.9.0.5. I am using snortreport to view the alerts.

If I run snort for only 5 minutes I will get about 3000 alerts. Two signatures that are giving me the most problems are the following:

SHELLCODE x86 inc ecx NOOP [sid 1394] - We have applications that are hosted that we access over port 81, everyone at the office uses these apps and snort throws alerts. the source and destination are known addresses and this is known good traffic

ICMP Echo Reply [sid 408]- I have a network monitoring software on a server that monitors not just internal but external networks. It using ICMP and snort throws an alert for these.

As far as a bpf filter goes, should I not use this? Should I be modifying the threshold.conf instead? Thanks.
That particular shellcode alert is VERY noisy and is notorious for generating large amounts of false positives...you might as well disable the rule itself (find the rule and comment it out).

For SID 408, that's a valid alarm. It is not a false positive, as it is alerting as designed. If you don't want to see these, by all means, add the hosts to bpf.conf (or threshold.conf).

The reason I suggested threshold.conf instead of using bpf is because, at least with threshold.conf, you'll still get some alerts (say, 10 instead of 3000, for example). If you just outright exclude IPs, you'll NEVER see anything from them, ever. My understanding is that when you use bpf.conf, you're telling the sensor to not capture data (granted, you should be able to get a bit granular with bpf). In using thresholding instead of bpf, you're ensuring that you won't get overwhelmed by large numbers of alerts but will still not be outright ignoring traffic. I'd say use bpf when you're absolutely sure that it won't present a situation where you get compromised and you won't see the malicious traffic. It is mostly used as a last resort, in my experience.

You can still use BPF...just follow the instructions in my last post.

Last edited by unixfool; 08-04-2011 at 10:01 AM.
 
Old 08-04-2011, 09:59 AM   #6
mhollis
LQ Newbie
 
Registered: Aug 2011
Posts: 10

Original Poster
Rep: Reputation: Disabled
Ok so for SID 408, I am getting these alerts do to my network monitoring software. I am monitoring alot of devices on alot of different networks, would I have to specify the IP of every device in the threshold.conf?
 
Old 08-04-2011, 10:40 AM   #7
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
I'd gather up all the IPs involved into a list, then arrange the list to where it can be sorted by IPs. You should get a good understanding of the ranges involved, then add the ranges to threshold.conf.

Or, you can just threshold your whole company's network range for that particular SID.

Your call.

*** EDIT: ***

I just did some research and found that if you add:

threshold gen_id 1, sig_id 408, type limit, track by_src, count 1, seconds 60

to threshold.conf, Snort will generate one alert per 60 seconds for each source IP causing SHELLCODE x86 inc ecx NOOP alerts.

In this case, you wouldn't need to provide IPs...it'll threshold each IP that triggers the signature.

Last edited by unixfool; 08-04-2011 at 11:10 AM.
 
Old 08-04-2011, 12:52 PM   #8
mhollis
LQ Newbie
 
Registered: Aug 2011
Posts: 10

Original Poster
Rep: Reputation: Disabled
Thanks. I am getting less alerts already. One last question. I am also getting hundreds of alerts from the following signature:

DNS SPOOF query response with TTL of 1 min. and no authority

The source IP is 4.2.2.2 and the Destination IP is my Internal DNS servers. Now I do use 4.2.2.2 are my DNS forwarders so I believe this is why I am seeing these alerts. Should I just threshold my DNS servers from that SID to stops the alerts? Thanks for all you help so far. I really appreciate it.
 
Old 08-04-2011, 01:00 PM   #9
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by mhollis View Post
Thanks. I am getting less alerts already. One last question. I am also getting hundreds of alerts from the following signature:

DNS SPOOF query response with TTL of 1 min. and no authority

The source IP is 4.2.2.2 and the Destination IP is my Internal DNS servers. Now I do use 4.2.2.2 are my DNS forwarders so I believe this is why I am seeing these alerts. Should I just threshold my DNS servers from that SID to stops the alerts? Thanks for all you help so far. I really appreciate it.
Yeah, it'll work for that rule also.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Snort - no portscan and tcp alerts in snort av.dubey Linux - Software 6 07-11-2008 09:56 PM
[snort ids] BPF causes duplicated sensors edenCC Linux - Security 1 06-19-2007 09:51 AM
snort alerts lord-fu Linux - Security 1 11-25-2005 03:28 PM
Snort Alerts ?? zahra79 Linux - Networking 5 06-22-2005 05:11 AM
Snort Alerts knight_ridda Linux - Security 13 06-21-2003 04:32 PM


All times are GMT -5. The time now is 06:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration