Snort as IDS, what do these alerts mean?

FeatherMonkey · 2007-08-13 12:29:30

Also I'd like to know is there something wrong with this or a better way to do it?

First I have this little bash script that parses the log and creates the ip addresses and rules.

#! /bin/bash
cat /var/log/snort/alert | grep "-" | cut -d"-" -f2 | grep -v ">" \n
 | cut -d" " -f2 | sort | uniq| grep -v ":" > ip.blk
BLOCKDB=/root/ip.blk
IPS=$(grep -Ev "^#" $BLOCKDB)
for i in $IPS
do
iptables -A open -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
done
cat /var/log/snort/alert | grep "-" | cut -d"-" -f2 | grep -v ">" \n
| cut -d" " -f2 | sort | uniq |grep ":" | sed 's/127.0.0.1://g'  > lo.blk
BLOCKDB=/root/lo.blk
IPS1=$(grep -Ev "^#" $BLOCKDB)
for i in $IPS1
do
iptables -A open -p tcp --dport $i -j DROP
iptables -A open -p udp --dport $i -j DROP
iptables -A OUTPUT -p tcp --dport $i -j DROP
iptables -A OUTPUT -p udp --dport $i -j DROP
done

I added the 2nd one as I was catching local ports, but what is ==> Bad Traffic Same Src/Dst IP [**] ?
How do I stop it, can I ignore it?

It's just port searching is not bringing me up much in regards to the port numbers as they are high, and I'm not seeing any negative effect, by blocking them. Is this normal network noise, though should it be?

[**] [116:150:1] (snort decoder) Bad Traffic Loopback IP [**]
[Priority: 3]
08/13-12:12:58.820568 127.0.0.1:7634 -> 127.0.0.1:58623

Also at the moment as I've only being playing I'm noticing a disruption in the network(I suspect restarting iptables isn't the best way), how can reset( and add) or add the rules with minimum network interference?

Would this involve 2 files and checking diffs, or is there an easier way?

xyn · 2007-08-28 16:49:21

Hi,

As I'm not sure of your network and what would be denoted "common" traffic, I'm not sure if the traffic you're seeing is malicious or not. But I can tell you that using snort to automatically insert firewall rules isn't such a great idea unless you know exactly what type of traffic should and should not be traveling over your network. Also, if you need to have it automated, I would at least read up on snort and fine tune the rulesets. I get quite a few (in excess of 50 or so a day) false alarms on snort and for the most part its NFS that's doing it.

FeatherMonkey · 2007-08-28 18:30:25

Thanks for the tips its working out quite well just a playground I can always flush them I think I did narrow it down to a certain app. Only seems to happen when I run it.

As for network getting around it, been a good way to learn what ports I do need open. Met a few hiccups but does seem to be working well I'm not generally getting too much in the logs just every now and again

Though if I do run the script whilst the app is running it starts happening, I do get quite a few high ports blocking, as I just need to move the log and touch the snort log to restart again. Not too worried they're more dynamic blocks rather than permanent blocks. I do a check and see how many rules I've got if too many I just start fresh with my base.

But thanks for the heads up I'm not sure if its attempts or the app doing something, though as its using ports open and I'm not finding anything getting disrupted by it, I'll leave it. But will look into fine tuning the rulesets still getting my head around these ipchains.

Arch Linux

#1 2007-08-13 12:29:30

Snort as IDS, what do these alerts mean?

#2 2007-08-28 16:49:21

Re: Snort as IDS, what do these alerts mean?

#3 2007-08-28 18:30:25

Re: Snort as IDS, what do these alerts mean?

Board footer