Saturday, March 7, 2015

Tuning Snort - Suppress

Snort has a few options which can be used to tune its performance and or reduce on the number of alerts generated. Of the methods available, we will look at threshold, suppress, detection_filters and using detection_filter with event_filters.

This lab consists of the following:
    Windows 2003 - Telnet Server - IP: 10.0.0.2
    Kali Linux - Running telnet client and snort, 2.9.2.2 - IP:10.0.0.1

In this post we will look at tuning via suppression in Snort Version 2.9.2.2.

Let's start off with our rule
The rule below is just a basic rule looking for the content "Logon failure" coming from host 10.0.0.2:23 going to host 10.0.0.1. No suppression is enabled.

Let's logon via telnet











As seen above my logon failed. Let's assume this happened 6 times.
For every failed logon received from the server there is a Snort alert above.

Looking at the performance statistics. We see 6 Checks, 6 Matches and 6 Alerts



Let's now go ahead and configure suppression.

This is done via the "threshold.conf" which is found in /etc/snort

Once configured let's go ahead and create our failed logon sessions again, similar to above.

When snort is run again, there is no output on the screen.


However, as we check the performance data we see we have Checks 6, Matches 6 and Alerts 0.


What this confirms is that even though we suppress this alert, snort is still processing the packeet. However, no notification is provided to us as to what is going on with the packet.



Hope you enjoyed this post. See
threshold, suppress, detection_filters and using detection_filter with event_filters for further tuning tips.


References:
http://manual.snort.org/node20.html
http://manual.snort.org/node212.html
http://manual.snort.org/node35.html
https://technet.microsoft.com/en-us/library/cc772789%28v=ws.10%29.aspx

No comments:

Post a Comment