Saturday, March 7, 2015

Tuning Snort - Thresholding

Snort has a few options which can be used to tune its performance and or reduce on the number of alerts generated. Of the methods available, we will look at threshold, suppress, detection_filters and using detection_filter with event_filters.

In this post we will look at tuning via thresholding.
Before we move forward, I must state that the snort documentation states this is a deprecated function and will not be available in future releases. These posts are being used with snort Version 2.9.2.2. Threshold has been replaced with event_filter.

Using the snort documentation as a guide, one of the examples it has is detecting 5 failed logons using the "limit" option. Threshold itself has a few options to be aware of. These are threshold, limit or both. In this post we will look at all 3.

This lab consists of the following:
    Windows 2003 - Telnet Server - IP: 10.0.0.2
    Kali Linux - Running telnet client and snort, 2.9.2.2 - IP:10.0.0.1
   

Let's get started
Let's create rule which looks for failed logons via telnet without any thresholding.
Below shows the snort rule which is looking for the failed logons. It currently has no threshold configurations


From below we see the failed logon. For this I actually did this 5 times, however there is no need to put all of this in the image. Just consider this as 5 failed logons.











The snort rule fired 5 times as can be seen below

When we look at the performance statistics, we verified that this rule was checked 5 times, matched 5 times and alerted 5 times.


Let's now add the threshold option "limit" to the rule and see the results.
Basically, for the limit, it does not matter how many telnet packets are seen between the hosts with "Logon failure" within 60 seconds, it will simply fire on the first 2 and ignore everything else. To actually test and understand this, you should be running snort in one window which is visible and logon to telnet via another window which allows you to see the snort screen while you are logging in. What you should see is snort generating an alert on your first login, then on your second login. For all the others within 60 seconds there should be no results from snort.

Let's test this.


Create a new rule with limit enable


Let's assume I have 5 failed logins as similar to above.

Below we see that the snort rule triggered only 2 times. This would be the first two then everything else was ignored.


Let's see what the performance statistics show.

Above we see that similar to the first rule, there were 5 checks and 5 matches. However, in this case there were only 2 alerts.


Let's move over to the "threshold" option now
The rule below is basically the same rule which was used for "limit". However the threshold type has been changed to threshold.


What this rule will do, is for every 2 packets seen with "Logon failure" between the two hosts, it will create an alert. So basically every second failure an alert would be created.

Once again, let's test that
Let's assume I have 5 failed logons again. Remember, to truly understand this, you should be able to look at your snort window or terminal, while logging to your telnet session.

Below we see the snort rule fire again 2 times.


Let's see what the performance statistics shows


Once again we saw 5 checks, 5 matches but 2 alerts.

I know at this point you may be thinking this seems confusing as you still have 2 alerts generated. However, remember above we had 5 failed logons, so we are unable to get more than 2 snort alerts.

To make it easier I will do one more example.
This time we will use 10 failed logons while keeping the rule the same. So if, this rule looks for every 2 failed logons within 60 seconds then for 10 failed logons we should have 5 alerts.

Let's test this.
Rule below is basically the same as above


Let's see what snort throws our way after the failed logons



As can be seen this time around, snort generated 5 alerts.

As always let validate this against what the performance preprocessor sees.


Ahhhhhhhhhhh!!! A thing of beauty.


The final option for threshold is "both". Both simply alerts once per interval based on the count value.

For the rule below, snort alert would be triggered on the 2nd packet seen with "Logon failure" between the hosts and everything else is ignored within the seconds specified.


Let's see what alerts we get.


As see above the the rule fired once.

Once again, let's check the performance statistics


Looks like we had 10 checks and 10 matches. However, only 1 alert was fired. This obviously matches what we stated earlier.

One of the things we were able to achieve with this post is for every test we were able to successfully validate our findings via various means.

Hope you enjoyed this post. See
threshold, suppress, detection_filters and using detection_filter with event_filters for further tuning tips.


References:
http://manual.snort.org/node20.html
http://manual.snort.org/node212.html
http://manual.snort.org/node35.html
https://technet.microsoft.com/en-us/library/cc772789%28v=ws.10%29.aspx

1 comment: