[Klug-general] SNORTing the rabbit hole

[James Blake]

As network intrusion detection systems go SNORT produces a huge number of false positives, one of the worst in the industry.  

We were getting around 20,000 a day here (we're running 2,000+ CentOS boxes), which why we don't use it any more.  An IDS is next to useless if you have to investigate each event to work out whether it is real or not.  You really have to tune SNORT rules to match your specific traffic profile, which is an ongoing task in the enterprise which has constantly changing patterns of traffic.

Host based intrusion prevention (checking to see what files have changes on the filesystem and log/event analysis) trigger a lot less false positives if the system has been appropriately configured/hardened.

Regards


James


On 24 Feb 2010, at 10:58, Alan @ COMM-TECH wrote:

> MacGyveR wrote:
>>> This one is 10.1.1.10 a Laserjet 4300 - what is that weird destination
>>> address?
>>> 
>>> EVENTS	SOURCE		DEST		METHOD
>>> 1180  10.1.1.10        239.255.255.250 MISC UPnP malformed advertisement
>>> 
>>> This is an ordinary Linux box - running nothing special with regards to
>>> services... what is that method?
>>> 
>>> EVENTS	SOURCE		DEST		METHOD
>>> 974  10.1.1.182       212.49.203.231   COMMUNITY WEB-MISC mod_jrun
>>> overflow attempt
>>> 
>>> Any ideas?
>>> 
>> 
>> the first one is just upnp announcements, you should be able to turn it off on 
>> the printer if you dont use it. (auto discover devices etc.)
>> 
>> the second would be a web server attack, are you running mod_jrun on apache?
>> 
> 
> Your right - it appears that the UPnP advertisement is made by some
> malconfigured devices (ie most them by default). One has turned out to
> be an iPhone!
> 
> As for the mod_jrun - it looks like it's related to webmail -
> squirrelmail in particular.
> 
> Thanks for the pointers!
> 
> 
> 
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent