-----BEGIN PGP SIGNED MESSAGE-----

Hey everybody,
        I'm assisting a client with a IDS bakeoff and I'm getting less than favorable results with Snort. Not that all the other vendors are screaming meemees either, but I gotta be doing something wrong with snort. I posted to the snort list and got some suggestions, but when I tried those suggestions and responded with the results, I got nothing. So, I figured I'd try this list. Rather than re-hash all the e-mail from the snort list, I'll just give the basics:

Running Snort 1.8.3 on a Dual Pentium III 1.0GHz, w/ 512 M RAM and a Syskonnect Gig card.
Red Hat Linux 7.2.

Traffic is real-world. Tons of Web, DNS, scans, you name it. The other IDSs are alerting like mad. Started at like 120Mbit/s spiking to 150Mbit/s, but some of the later tests were looking at roughly half that bandwidth.
Here is a mixture of suggested and my own commandlines I was running and the results. This is pretty much verbatim to the post I made to the snort list. I also posted my snort.conf - if anyone here would like to see it, I've put it at the bottom.

>>Try using a snort commandline like
>>sbin/snort -A fast -b -l ./log -d -i eth1 and see what happens.

>This logged everything it saw to a time-stamped file. No alerts, but it logged >every packet (0% packet loss). Encouraging.

>>try snort -dev -i eth2 to see full dumps of the traffic on your eth2
>>interface to make sure it can see everything

>Oh baby. Tons of stuff ;-)
>
>Other things I tried:
>
>1. snort -A fast -l ./log -d -i eth2 (for 1 minute)
> -MUCH logging, but dropped ~96.5% of traffic.
> "Snort analyzed 38950 out of 1117120 packets, dropping 1078170 (96.513%) >packets."
> -also, while I had almost 8,000 IP directories in ./logs, the alerts file is 0 >length. Am I not
>doing pattern matching here? It didn't seem to read my snort.conf...
>
>2. snort -A fast -l ./log -d -i eth2 -c ./snort.conf (for 1 minute)
> -generated ~1600 alerts of which 99% were ICMP Dest. Unreachables. The other >1% were Bad Traffic (loopback source address). There is much web, dns, scans >and other stuff in this traffic.
> "Snort analyzed 762866 out of 1110037 packets, dropping 347171 (31.276%) >packets."
> -This was with the default ruleset (884 rules).
>
>3. Repeated same test as #2, but with only web rules loaded [499 rules] (1 >minute).
> -0 alerts
> "Snort analyzed 733682 out of 1119517 packets, dropping 385835 (34.464%)."
>4. Ran same test as #3, except I changed the http_decode preprocessor to: 80 >-cginull (removed -unicode) in the hopes that it would catch something unicode. > I also tried using the unicode preprocessor and my notes here are a little >fuzzy. I'm showing on one of the tests that I had 103 alerts, but I don't know >which preprocessor. Sorry. Anyway, the 103 alerts were all Unicode Directory
>Traversal alerts, but didn't show the actual attack. I went in and looked at >the logged packets and there were definitely WEB-IIS cmd.exe and other things >in there, but didn't get alerted.
>
>For pretty much all the the tests, it appeared that either the 1) signatures >aren't being compared against (i.e. only preprocessor type alerts) or 2) I can >only have 1 alerts per packet (some IDSs are like this, is snort?). My guess >is that it's the former instead of the latter. Right now, Snort is not keeping >up with the other 3 IDSs being tested, so I'm relying on you guys to keep me >from shooting myself in the foot!! I know I'm just doing something wrong, I've >seen plenty of posts in the archives where people are using Snort at much >higher bandwidth than what I'm looking at.

Can anyone offer any assistance or (at the least) support the results I'm seeing? The client is kind of looking at me since I suggested bringing Snort into the mix (they were initially only looking at commercial products). I'm trying not to look back.

Tahnks,

Norm

$ cat snort.conf |grep -vE "^$|^#"

var HOME_NET 10.0.0.0/8
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET

var DNS_SERVERS $HOME_NET
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
include classification.config
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include web-attacks.rules

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAjxFbi8VHG4zbTNzMXNAaHVzaG1haWwuY29tAAoJEFhAkA76am0fKxUA
nRdaBHyXAwvL/VBAhoDd/Ta1Bvp5AKCAAgpyUt/rIN69ePtuxPy7BNiVAA==
=K1eO
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]