-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Francis,
There was a very similar question recently on the list. Tom Le
replied with this (6/3/2007 6:43pm):
"Since these prot scan alerts are from the Snort sfportscan
preprocessor, your best option is tune out false positives from your
IDS. Tuning at the log analysis layer works, of course, but general
rule is to always move your tuning as far upstream as possible.
In this case, modify the "ignore_scanners" option in your snort.conf
and tune out known source IP's that are legitimately scanning your
network."
That made tremendous sense to me and to the person who posed the
question initially. As a follow up, Daniel Cid (6/4/2007 7:50PM)
pointed folks to his recent talk at AUSCert
(http://www.ossec.net/wiki/index.php/Know_How:CorrelateSnort) and
provided this explanation and great improvment on a solution I
proposed to the initial questioner:
"When ossec parses a log, it will break down the message into
multiple fields:
time -> Jun 3 15:34:33
hostname -> saratoga.denmantire.com
program_name -> snort
log -> [122:3:0] (portscan) TCP Portsweep {PROTO255} 192.168.0.150 ->
192.168.1.80
After the decoding (decoders.xml), you will also have:
srcip -> 192.168.0.150
id -> 122:3:0
And may have dstip, srcport, etc...
When you write a rule, you need to remember that the "regex" and
"match" tag
only look at the log option, which from your logs would only start at
"[122:3:0 ..".
To look at the other parts of the message, you need to use
"program_name" (as
David mentioned) or "hostname", etc.
I think that the best way to have your rule would be to look at the
snort id (122:),
instead of looking at the whole message for "portscan".
<rule id="1002020" level="0">
<if_sid>20151</if_sid>
<program_name>^snort</program_name>
<srcip>X.X.X.X</srcip>
<id>^122:</id>
<description>Portsweep from whatsup. It's OK.</description>
</rule>
"
I hope Tom and Daniel don't mind me passing that along.
-David
FRANCIS PROVENCHER wrote:
> Hi all, im new in the Ossec World.
>
> My Ossec installation watch for NIDS (Snort) log alert's in the
> /var/log/message/.
>
> I'v install the Web interface for Ossec..all work great! Except, when i make
> an F5 (or when the web interface reload by itself) to the Web interface to
> see if alerts was added, snort interpret it, like an "attack". I always
> received this error;
>
> 2007 Jun 06 15:16:39 Rule Id: 20101 level: 6
> Location: (************) 10.*.*.6->/var/log/messages
> IDS event.
>
> Jun 6 15:16:38 ******** snort[11669]: [1:882:5] WEB-CGI calendar access
> [Classification: Attempted Information Leak] [Priority: 2]: {TCP}
> 10.*.*.2:34282 -> 10.*.*.6:80
>
> How i can stop to log this false positive?
>
> Sorry if the question have been ask before, i'v google some time but found
> nothing about it.
>
> Thanks all
>
>
>
> Francis Provencher
> Ministère de la Sécurité publique du Québec
> Direction des technologies de l'information
> Division de la sécurité informatique
> Tél: 1 418 646-3258
> Courriel: [EMAIL PROTECTED]
>
> CEH - Certified Ethical Hackers
> SSCP - System Security Certified Practitionner
> Sec+ - Security +
>
- --
_______________________________________________
GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGZxoICzuSgviBh00RAi6rAJ9vwVfUM8F+hW0WU5YAI6VIddZ0KACdEktI
3Lm1HdnyjtTePDU8zKtcP2Q=
=1Ym0
-----END PGP SIGNATURE-----
