Security Onion: Supressing , Disabling Noisy Snort Rules

If you have freshly installed the security onion and slelected the snort as an IDS, then login into SNORBY where you will a large number of  noisy rule, for those rules there can be three cases

  • Rules not to be triggered at  all for any IP
  • Rules needed to be  Suppressed for some particular IP
  • Rules for those you want to set a threshold, (number of times a rules should be triggered before we get an alert or get only N number of  alerts for specific period of time)

Let’s deal with theses cases one by one

 

Rules Not To Be Triggered At All

Rules that lie in this this catergory, there are two ways to disable them either in snort configuration file (threshold.conf) or in pulled pork configuration file (disable.conf) .Note down  the sig. Id of rules you want to disable,  for example we want to disable following rules.

Signature

Sig. Id

ET POLICY Dropbox DNS Lookup – Possible Offsite File Backup in Use 2015686
ET CHAT Skype User-Agent detected 2003313

You can find the Sig. Id of a rule in snorby by clicking on alert messages.

Disabling Rules in Pulled Pork

It is better to disable rules in Pulled Pork because these rules will not be updated when downloading updates for rules and  snort will be oblivious of them , it will give us a performance advantage.
open the file  /etc/nsm/pulledpork/disablesid.conf and append the following lines at the end of file

#ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
1:2015686
#ET CHAT Skype User-Agent detected
1:2003313

where format is Generation ID: Sig. ID, for text rules generation id is  1. it better to add the comments about the rules you are disabling it will be helpful for others or even for in future.
open the Terminal  and update the rules with following command

$> sudo rule-update

This will take sometime when it is complete,  you can verify that rules with above sig.id are commented out in /etc/nsm/rules/downloaded.rules

$>grep "ET POLICY Dropbox DNS Lookup - Possible Offsite"  /etc/nsm/rules/downloaded.rules 
# alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|client-lb|07|dropbox|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,dropbox.com; classtype:policy-violation; sid:2020565; rev:1;)

note the “#” at the start of output line, you can verify the other rule by grep

Disabling Rules in Snort Configuration File(threshold.conf)

Open the file /etc/nsm/rules/threshold.conf and read the comments  about #Supression

#Suppression:
#
# Suppression commands are standalone commands that reference generators and
# sids and IP addresses via a CIDR block (or IP list). This allows a rule to be
# completely suppressed, or suppressed when the causitive traffic is going to
# or coming from a specific IP or group of IP addresses.
#
# Suppress this event completely:
#
# suppress gen_id 1, sig_id 1852
#
# Suppress this event from this IP:
#
# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
#
# Suppress this event to this CIDR block:
#
# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24

so in oder to supress the above two rules we just have to append the following lines at the end of file

#ET CHAT Skype User-Agent detected
suppress gen_id , sig_id  2003313
#ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
suppress gen_id 1, sig_id 2015686

Rules Needed To Be Suppressed For Some Particular IP

if you had read the comments in threshold.conf you should know how to do this but in case you didn’t let me copy related portion of comments for you

# Suppress this event from this IP:
#
# suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54
#
# Suppress this event to this CIDR block:
#
# suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24

For example I want to suppress the following rule for  IP 192.168.2.1
Signature: PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt Sig. ID: 19187
so just add the following lines at the end of file /etc/nsm/rules/downloaded.rules

# Diable "PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt" for 192.168.2.15 
 suppress gen_id 1, sig_id 19187, track by_dst, ip 192.168.2.1

we can also use track by_src or give range of IP in CIDR notation

#if event needs to suppressed for source IP 192.168.2.1 
suppress gen_id 1, sig_id 19187, track by_src, ip 192.168.2.1
# if event needs to suppressed for range of source IP 192.168.2.1-255
suppress gen_id 1, sig_id 19187, track by_src, ip 192.168.2.0/24

Thresholding  Rules

configuration file (threshold.conf)  gives a pretty good explanation of thresholding

“This feature is used to reduce the number of logged alerts for noisy rules.This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number of times a particular event is logged during a specified time interval.Let’s
There are 3 types of event_filters:

 1) Limit
Alert on the 1st M events during the time interval, then ignore
events for the rest of the time interval.

2) Threshold
Alert every M times we see this event during the time interval.

 3) Both
Alert once per time interval after seeing M occurrences of the event, then ignore any additional events during the time interval.”

Threshold commands are formatted as:

event_filter gen_id , sig_id , \
 type <limit|threshold|both> , track by_src|by_dst, \
count  , seconds 

Limit Filter

Limit to logging event with sig ID  1851 per 60 seconds:

event_filter gen_id 1, sig_id 1851, type limit, \
track by_src, count 1, seconds 60

here track by_src means for every source IP there can be only one event(alert) logged in every 60 second or each IP will have its separate counter for example,
if this event is logged for  192.168.1.1, it will not triggered for this IP in next 60 seconds but during this time it can trigger for any other IP like 192.168.1.2

Global Threshold
Limit to logging 1 event per 60 seconds per IP triggering any alert for any event generator:

event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1,

here zero is acting as a wild card for any gen_id or sid_id

similarly we can write Threshold or Both Filter

Threshold or Both Filter

An example for Both filter is given for sig_id 2019491 where it will limit the rule to log 2 alerts (or generate events)  in every 120 second

event_filter gen_id 1, sig_id 2019491, type both, track by_src, count 2, seconds 120

Restart Sensor

Don’t forget to restart the sensor for changes to take effect

$> sudo nsm_sensor-restart

Install Bro on CentOS 7.X/6.X

Required Dependencies

Bro requires following dependancies to work properly

  • Libpcap   (Package name=libpcap-devel)
  • OpenSSL libraries (openssl-devel)
  • BIND8 library (already installed in centos)
  • Libz (already install in centos)
  • Bash (for BroControl)
  • Python (for BroControl) (python-devel)

To build Bro from source following addition dependancies are required

Let us install all of above dependancies first

sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel perl

Optional Dependencies

Following are the optional dependancies, bro can make use of them if they are availble at build time

  • LibGeoIP (for geolocating IP addresses)
  • sendmail (enables Bro and BroControl to send mail)
  • gawk (enables all features of bro-cut)
  • curl (used by a Bro script that implements active HTTP)
  • gperftools (tcmalloc is used to improve memory and CPU usage)
  • ipsumdump (for trace-summary; http://www.cs.ucla.edu/~kohler/ipsumdump)
  • Ruby executable, library, and headers (for Broccoli Ruby bindings)

LibgeoIP

During the process of creating policy scripts the need may arise to find the geographic location for an IP address. Bro has support for the GeoIP library at the policy script level beginning with release 1.3 to account for this need. To use this functionality, you need to first install the libGeoIP software, and then install the GeoLite city database before building Bro.

Libgeoip allows bro to

sudo yum install GeoIP-devel

A country database for GeoIPLite is included when you do the C API install, but for Bro, we are using the city database which includes cities and regions in addition to countries.

Download the GeoLite city binary database.

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
#unzip the database
gunzip GeoLiteCity.dat.gz

move data base to required diretory

 sudo mv GeoLiteCity.dat /usr/share/GeoIP/GeoIPCity.dat

Install gawk

GNU implementation of famous awk utility

sudo yum install gawk

Install gperftools(google performance tools)

Gperftools is a collection of a high-performance multi-threaded malloc() implementation, plus some pretty nifty performance analysis tools

sudo yum install gperftools

Ipsumdump

The ipsumdump program reads IP packets from one or more data sources, then summarizes those packets into a line-based ASCII file. The resulting summary dump is easy to process with text-based tools

#Download the latest version from here 
wget http://www.read.seas.harvard.edu/~kohler/ipsumdump/ipsumdump-1.85.tar.gz
tar -xvf ipsumdump-1.85.tar.gz
cd ipsumdump-1.85
./configure --prefix=/usr/
make 
sudo make install

Install Bro

Download the latest version from here

wget https://www.bro.org/downloads/release/bro-2.3.2.tar.gz
tar -xvf bro-2.3.2
./configure
make
sudo make install

by default bro will be install to /usr/local/bro/bin

Modifiy you PATH environment variable to include bro binaries

export PATH=/usr/local/bro/bin:$PATH

To make changes permanent add above line to ~/.bashrc file