[Dshield] For those that want to see what a Snort Sensor can see

Al Reust areust at comcast.net
Fri Apr 9 01:41:00 GMT 2004

John et al

For new users, it is part of what they do not tell you in the documentation.

This machine is "plain vanilla" as it upacked. This is the standard 
Chat.rule. No initially, I did not enable all the rulesets. This morning I 
did enable all rulesets.

The latest rules can be found at


More information.

What most people do not think about is, I see there are updated rules. I 
drag them down and then when I overwrite. I have destroyed all the rules 
that I have "disabled" that were causing "false positives." Any special 
rules that I wrote that were in "local.rules" are also now toast.

At one point in time I was doing a "dif" to see what changed and if the 
changes were something that I might have in my "local.rules." It became 
wore work than I had time for, with 5 machines in different locations. Each 
machine had it's "own" false positives that had to be dealt with. I then 
went to a file on the local machine that had records of what rules I had 
disable and when. That was my reference. I could then pull the updated 
rules and unpack to a directory and then edit a set for each machine. Edit 
the rules, carry to location and place online. Obviously, a "false 
positive" 6 months ago may not be a false positive now so you do need to 
check on occasion.

The normal precautions are, make a text file in the rules directory which 
explains what rules you disabled and why (a  date as to when is also 
useful). Unpack the "new" ruleset to a separate directory and open your 
disabled rules text file and start disabling your false positives. Remove 
the local.rules file from that directory. When you have completed all the 
steps then you are ready to copy the updated rules to snort, then a net 
stop snort command followed be a net start snort command. The new ruleset 
is in place and active.

If you looked this evening you will see a Jump in ICMP, This would be a 
false positive in that a network problem (comcast) was experienced.. Then 
you do a trace route (tracert) to www.msn.com it is actually showing you 
the dropped packets. You end up with a lot of packets to look that you did 
not normally see..



At 11:00 AM 4/8/2004 -0500, you wrote:
>Did you write the chat rule?  And are the rest of the rules from the 
>snort.org site?
>>From: Al Reust <areust at comcast.net>
>>Reply-To: General DShield Discussion List <list at lists.dshield.org>
>>To: General DShield Discussion List <list at lists.dshield.org>
>>Subject: Re: [Dshield] For those that want to see what a Snort Sensor can see
>>Date: Thu, 08 Apr 2004 08:04:50 -0700
>>As I said it pretty much Vanilla "out of the box" with exception of 
>># include $RULE_PATH/shellcode.rules
>># include $RULE_PATH/policy.rules
>># include $RULE_PATH/porn.rules
>># include $RULE_PATH/info.rules
>># include $RULE_PATH/icmp-info.rules
>># include $RULE_PATH/virus.rules
>># include $RULE_PATH/chat.rules
>># include $RULE_PATH/multimedia.rules
>>I have turned those on and find it interesting that overall it has been 
>>pretty quiet.
>>I did see a round of lets "guess the users password" in the security log 
>>last night
>>I have found it interesting in that it reports
>>[snort] (http_inspect) BARE BYTE UNICODE ENCODING
>>which is a keep alive connection to Yahoo
>>length = 35
>>000 : 59 4D 53 47 00 0B 00 00 00 0F 00 8A 00 00 00 00 YMSG............
>>010 : 6F 7E 0B 00 30 C0 80 6F 6E 6C 79 31 6D 61 6D 6D o~..0..only1mamm
>>020 : 61 C0 80 a..
>>At 09:24 AM 4/8/2004 -0400, you wrote:
>>>Dammit, no kickass-porn yet, although it did sniff an aim login...
>>>Are you suppressing a bunch of rules?
>>>Mark Tombaugh <mtombaugh at alliedcc.com>
>>>Allied Computer Corporation <http://www.alliedcc.com>
>>>USiHOST, iNC <http://www.usihost.com>
>>>PGP: EB6CD591 Mark Tombaugh (Allied Computer Corporation)
>>>       5B45 859C 26F9 C12F FBCC  0831 3136 C806 EB6C D591

More information about the list mailing list