Security Onion: Supressing , Disabling Noisy Snort Rules

If you have freshly installed the security onion and slelected the snort as an IDS, then login into SNORBY where you will a large number of  noisy rule, for those rules there can be three cases

  • Rules not to be triggered at  all for any IP
  • Rules needed to be  Suppressed for some particular IP
  • Rules for those you want to set a threshold, (number of times a rules should be triggered before we get an alert or get only N number of  alerts for specific period of time)

Let’s deal with theses cases one by one

 

Rules Not To Be Triggered At All

Rules that lie in this this catergory, there are two ways to disable them either in snort configuration file (threshold.conf) or in pulled pork configuration file (disable.conf) .Note down  the sig. Id of rules you want to disable,  for example we want to disable following rules.

Signature

Sig. Id

ET POLICY Dropbox DNS Lookup – Possible Offsite File Backup in Use 2015686
ET CHAT Skype User-Agent detected 2003313

You can find the Sig. Id of a rule in snorby by clicking on alert messages.

Disabling Rules in Pulled Pork

It is better to disable rules in Pulled Pork because these rules will not be updated when downloading updates for rules and  snort will be oblivious of them , it will give us a performance advantage.
open the file  /etc/nsm/pulledpork/disablesid.conf and append the following lines at the end of file

#ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
1:2015686
#ET CHAT Skype User-Agent detected
1:2003313

where format is Generation ID: Sig. ID, for text rules generation id is  1. it better to add the comments about the rules you are disabling it will be helpful for others or even for in future.
open the Terminal  and update the rules with following command

$> sudo rule-update

This will take sometime when it is complete,  you can verify that rules with above sig.id are commented out in /etc/nsm/rules/downloaded.rules

$>grep "ET POLICY Dropbox DNS Lookup - Possible Offsite"  /etc/nsm/rules/downloaded.rules 
# alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|client-lb|07|dropbox|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,dropbox.com; classtype:policy-violation; sid:2020565; rev:1;)

note the “#” at the start of output line, you can verify the other rule by grep

Disabling Rules in Snort Configuration File(threshold.conf)

Open the file /etc/nsm/rules/threshold.conf and read the comments  about #Supression

#Suppression:
#
# Suppression commands are standalone commands that reference generators and
# sids and IP addresses via a CIDR block (or IP list). This allows a rule to be
# completely suppressed, or suppressed when the causitive traffic is going to
# or coming from a specific IP or group of IP addresses.
#
# Suppress this event completely:
#
# suppress gen_id 1, sig_id 1852
#
# Suppress this event from this IP:
#
# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
#
# Suppress this event to this CIDR block:
#
# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24

so in oder to supress the above two rules we just have to append the following lines at the end of file

#ET CHAT Skype User-Agent detected
suppress gen_id , sig_id  2003313
#ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
suppress gen_id 1, sig_id 2015686

Rules Needed To Be Suppressed For Some Particular IP

if you had read the comments in threshold.conf you should know how to do this but in case you didn’t let me copy related portion of comments for you

# Suppress this event from this IP:
#
# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
#
# Suppress this event to this CIDR block:
#
# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24

For example I want to suppress the following rule for  IP 192.168.2.1
Signature: PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt Sig. ID: 19187
so just add the following lines at the end of file /etc/nsm/rules/downloaded.rules

# Diable "PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt" for 192.168.2.15 
 suppress gen_id 1, sig_id 19187, track by_dst, ip 192.168.2.1

we can also use track by_src or give range of IP in CIDR notation

#if event needs to suppressed for source IP 192.168.2.1 
suppress gen_id 1, sig_id 19187, track by_src, ip 192.168.2.1
# if event needs to suppressed for range of source IP 192.168.2.1-255
suppress gen_id 1, sig_id 19187, track by_src, ip 192.168.2.0/24

Thresholding  Rules

configuration file (threshold.conf)  gives a pretty good explanation of thresholding

“This feature is used to reduce the number of logged alerts for noisy rules.This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval.Let’s
There are 3 types of event_filters:

 1) Limit
Alert on the 1st M events during the time interval, then ignore
events for the rest of the time interval.

2) Threshold
Alert every M times we see this event during the time interval.

 3) Both
Alert once per time interval after seeing M occurrences of the event, then ignore any additional events during the time interval.”

Threshold commands are formatted as:

event_filter gen_id , sig_id , \
 type <limit|threshold|both> , track by_src|by_dst, \
count  , seconds 

Limit Filter

Limit to logging event with sig ID  1851 per 60 seconds:

event_filter gen_id 1, sig_id 1851, type limit, \
track by_src, count 1, seconds 60

here track by_src means for every source IP there can be only one event(alert) logged in every 60 second or each IP will have its separate counter for example,
if this event is logged for  192.168.1.1, it will not triggered for this IP in next 60 seconds but during this time it can trigger for any other IP like 192.168.1.2

Global Threshold
Limit to logging 1 event per 60 seconds per IP triggering any alert for any event generator:

event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1,

here zero is acting as a wild card for any gen_id or sid_id

similarly we can write Threshold or Both Filter

Threshold or Both Filter

An example for Both filter is given for sig_id 2019491 where it will limit the rule to log 2 alerts (or generate events)  in every 120 second

event_filter gen_id 1, sig_id 2019491, type both, track by_src, count 2, seconds 120

Restart Sensor

Don’t forget to restart the sensor for changes to take effect

$> sudo nsm_sensor-restart
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s