You can also convert your unifieds to a pcap ( using barnyard ) and then
use a tool like ethereal to isolate and save the single offending
packet. In many cases this is sufficient to determine the nature of the
false+ive however a capture of the full session is always ideal.
If you have the time and resources running snort or tcpdump in parallel
logging all the traffic would be perfect. Once you get a false+ive
isolate the entire session and send it to snort-sigs with the rule sid:rev.
Matt Jonkman wrote:
What are you using for an event manager or viewer (ie, ACID/BASE,
snortsnarf, demarc, etc) and are you logging to a database or just
syslog, etc?
If you're using one of the web based managers you'll have a packet dump
included in your display. You can generally copy that hex/ascii block
and we'll know what you're looking at (include ports and flow info as well)
If you're on files only you'll have a file in something like
/var/log/snort/<IP> with the offending data. You can send that our way
as well.
If you know an event is going to happen, or you can manually trigger the
false you can use tcpdump at the command line on your sensor. Something
like:
tcpdump -n -i eth0 -w packet.dump.filename host <victimIP>
That'll give you a binary dump that you can send our way as well. This
is preferred for larger events that require more context than one packet.
That is the short version. This would be a good article for
bleedingsnort.com if anyone is interested in expanding on the subject.
Thanks
Matt
Russell Fulton wrote:
Hi Folks,
I am being plagued by lots of false +ves on many of the newer rules.
This isn't a complaint about snort, I'm fully aware of the limitations
of the technology and the difficulty of testing sigs.
What I want to know is what is the best method of capturing packets that
demonstrate the false +ves that the developers can use to refine
signatures. The standard advice of "Just send in a pcap" begs several
questions of exactly what is required and what is the best method of
obtaining the data. I am willing to expend some time and energy
collecting data to help improve the rules but I want to make sure I and
not going about it in an inefficient manner.
I have asked this question (or variations on it) several times before
but never had any response.
My sensors run on Linux and I use the unified output plugin, how should
I go about reporting false +ves? Please assume I'm real dumb :) but
that I am smart enough to follow instructions and also to install any
other tools that may help.
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
