Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Snort OpenAppID log flooding

    IDS/IPS
    2
    6
    381
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Josef last edited by

      Hi all,

      I am using Snort with OpenAppID categories to monitor application usage.
      I configure 'Send Alerts to System Log' and then send system logs via remote syslog to Graylog.
      This works well but it appears to generate an alert log for each packet (as opposed to each connection).
      I will see multiple identical logs - with the same application, source port, source IP, destination port and destination IP.
      EG:
      Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
      Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
      Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
      Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
      So if I do something like a speedtest on my 300M connection, it will result in about 50K syslog messages.

      Is there a way to have Snort only log once per connection?
      I tried to use suppression rules - but the suppress option makes it not log at all and the rate limit option requires a SID to be specified.

      Thanks!!

      bmeeks 1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks @Josef last edited by bmeeks

        @josef said in Snort OpenAppID log flooding:

        Hi all,

        I am using Snort with OpenAppID categories to monitor application usage.
        I configure 'Send Alerts to System Log' and then send system logs via remote syslog to Graylog.
        This works well but it appears to generate an alert log for each packet (as opposed to each connection).
        I will see multiple identical logs - with the same application, source port, source IP, destination port and destination IP.
        EG:
        Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
        Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
        Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
        Dec 17 13:52:50 snort 1706 [1:70856:1] https [Classification: Misc activity] [Priority: 3] {TCP} 192.168.5.225:58045 -> 52.217.81.68:443
        So if I do something like a speedtest on my 300M connection, it will result in about 50K syslog messages.

        Is there a way to have Snort only log once per connection?
        I tried to use suppression rules - but the suppress option makes it not log at all and the rate limit option requires a SID to be specified.

        Thanks!!

        You must use the rate limit option to do this. And every rule has a unique SID. You can see it on the ALERTS tab. Currently the GUI does not offer a means to configure rate limits. You will need to do this by manually editing the Suppression List configured for the interface. You can manually edit the list on the SUPPRESS tab.

        J 1 Reply Last reply Reply Quote 0
        • J
          Josef @bmeeks last edited by

          @bmeeks Thanks!
          Is there a way to configure a rate limit rule to cover all SID's?
          Otherwise I would need to create a rule for every SID relating to OpenAppID

          bmeeks 1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks @Josef last edited by bmeeks

            @josef said in Snort OpenAppID log flooding:

            @bmeeks Thanks!
            Is there a way to configure a rate limit rule to cover all SID's?
            Otherwise I would need to create a rule for every SID relating to OpenAppID

            I don't know if thresholding accepts SID ranges or not. You will need to check the official Snort documentation for details. The Snort name for suppression is "rule thresholding". So in the Snort documentation you will find the rate limiting guidance under that section. There is also an official Snort mailing list you can sign up for. All of this can be found at https://www.snort.org.

            Oops! I need to correct myself a bit. When using the global thresholding (as with a Suppression List) you can only use SID:0 when means "all rules". You can specify a specific Generator ID (GID), though with OpenAppID that won't work (see farther below for why). The other thresholding is a per-rule thing that you add within the rule signature itself. That would mean editing the actual rules themselves. Details are here: https://www.snort.org/faq/readme-thresholding.

            One complicating issue with OpenAppID rules is they do not currently have their own unique Generator ID (GID). They get the generic GID 1. So identifying them is not as easy as it is for the preprocesor rules like HTTP_INSPECT, Sensitive Data and others. I once asked the Snort developer team, soon after OpenAppID was released, to consider creating a separate GID for them. To my knowledge that has not yet happened.

            J 1 Reply Last reply Reply Quote 0
            • J
              Josef @bmeeks last edited by

              @bmeeks Ahhh - thank you. You have helped me greatly!
              This simple suppression rule has solved my problem
              threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60
              Now I will only get 1 log per source IP to the same application within 60 seconds.

              The gui should perhaps be updated because it says "Valid keywords are 'suppress', 'event_filter' and 'rate_filter'."
              But actually threashold is also a valid keyword.

              Thanks!!

              bmeeks 1 Reply Last reply Reply Quote 0
              • bmeeks
                bmeeks @Josef last edited by bmeeks

                @josef said in Snort OpenAppID log flooding:

                @bmeeks Ahhh - thank you. You have helped me greatly!
                This simple suppression rule has solved my problem
                threshold gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60
                Now I will only get 1 log per source IP to the same application within 60 seconds.

                The gui should perhaps be updated because it says "Valid keywords are 'suppress', 'event_filter' and 'rate_filter'."
                But actually threashold is also a valid keyword.

                Thanks!!

                I will add "threshold" to the tip. I'm working on the Snort 2.9.17 update over the next few days.

                Note that gen_id 1, sig_id 0 will apply that threshold to all of your general rules. Probably not an issue for you, but just wanted to make sure you realize that. GID 1 is the ID for all the rules in all the user-configurable categories. There are some specialized GID values for the built-in Snort rules like HTTP_INSPECT and others. This is all explained in the official documention when looking up GID (Generator ID). This was why I asked the Snort team to consider creating that special GID for OpenAppID so those rules could be easily distinguished from all the other general text rules. But so far that feature has not been incorporated.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post