[Dshield] For those that want to see what a Snort Sensor can see
areust at comcast.net
Fri Apr 9 01:41:00 GMT 2004
John et al
For new users, it is part of what they do not tell you in the documentation.
This machine is "plain vanilla" as it upacked. This is the standard
Chat.rule. No initially, I did not enable all the rulesets. This morning I
did enable all rulesets.
The latest rules can be found at
What most people do not think about is, I see there are updated rules. I
drag them down and then when I overwrite. I have destroyed all the rules
that I have "disabled" that were causing "false positives." Any special
rules that I wrote that were in "local.rules" are also now toast.
At one point in time I was doing a "dif" to see what changed and if the
changes were something that I might have in my "local.rules." It became
wore work than I had time for, with 5 machines in different locations. Each
machine had it's "own" false positives that had to be dealt with. I then
went to a file on the local machine that had records of what rules I had
disable and when. That was my reference. I could then pull the updated
rules and unpack to a directory and then edit a set for each machine. Edit
the rules, carry to location and place online. Obviously, a "false
positive" 6 months ago may not be a false positive now so you do need to
check on occasion.
The normal precautions are, make a text file in the rules directory which
explains what rules you disabled and why (a date as to when is also
useful). Unpack the "new" ruleset to a separate directory and open your
disabled rules text file and start disabling your false positives. Remove
the local.rules file from that directory. When you have completed all the
steps then you are ready to copy the updated rules to snort, then a net
stop snort command followed be a net start snort command. The new ruleset
is in place and active.
If you looked this evening you will see a Jump in ICMP, This would be a
false positive in that a network problem (comcast) was experienced.. Then
you do a trace route (tracert) to www.msn.com it is actually showing you
the dropped packets. You end up with a lot of packets to look that you did
not normally see..
At 11:00 AM 4/8/2004 -0500, you wrote:
>Did you write the chat rule? And are the rest of the rules from the
>>From: Al Reust <areust at comcast.net>
>>Reply-To: General DShield Discussion List <list at lists.dshield.org>
>>To: General DShield Discussion List <list at lists.dshield.org>
>>Subject: Re: [Dshield] For those that want to see what a Snort Sensor can see
>>Date: Thu, 08 Apr 2004 08:04:50 -0700
>>As I said it pretty much Vanilla "out of the box" with exception of
>># include $RULE_PATH/shellcode.rules
>># include $RULE_PATH/policy.rules
>># include $RULE_PATH/porn.rules
>># include $RULE_PATH/info.rules
>># include $RULE_PATH/icmp-info.rules
>># include $RULE_PATH/virus.rules
>># include $RULE_PATH/chat.rules
>># include $RULE_PATH/multimedia.rules
>>I have turned those on and find it interesting that overall it has been
>>I did see a round of lets "guess the users password" in the security log
>>I have found it interesting in that it reports
>>[snort] (http_inspect) BARE BYTE UNICODE ENCODING
>>which is a keep alive connection to Yahoo
>>length = 35
>>000 : 59 4D 53 47 00 0B 00 00 00 0F 00 8A 00 00 00 00 YMSG............
>>010 : 6F 7E 0B 00 30 C0 80 6F 6E 6C 79 31 6D 61 6D 6D o~..0..only1mamm
>>020 : 61 C0 80 a..
>>At 09:24 AM 4/8/2004 -0400, you wrote:
>>>Dammit, no kickass-porn yet, although it did sniff an aim login...
>>>Are you suppressing a bunch of rules?
>>>Mark Tombaugh <mtombaugh at alliedcc.com>
>>>Allied Computer Corporation <http://www.alliedcc.com>
>>>USiHOST, iNC <http://www.usihost.com>
>>>PGP: EB6CD591 Mark Tombaugh (Allied Computer Corporation)
>>> 5B45 859C 26F9 C12F FBCC 0831 3136 C806 EB6C D591
More information about the list