ET Community Rules False Positives? (Snort)

Syntax42

Since our upgrade from 2.1RC0 to 2.1, I have been noticing a lot more Snort alerts which indicate a Trojan or adware on our network.  The instant the log entry is generated, it gets sent to my laptop which is running Dude and has a popup notification on my screen.  I have to check the state table to see which internal IP address attempted to contact the external IP in question, then check the DHCP list to determine which computer is using that IP.

The problem I'm running into is that every time, the users' computers are clean.  This is a good thing, but I'm wasting their time trying to track down something that isn't there.  Everyone, including myself, is a little more paranoid about viruses after one of our users got infected with CryptoLocker, but if false positives keep happening, I'm afraid complacency will take over again.

Is Snort just generating a lot of false positives, and if so, does anyone else get this issue? 
Am I getting the wrong internal IP when I check the state table in pfsense? 
Is there a faster or more efficient way to resolve Snort alerts to computer names or at least internal IP addresses?

bmeeks

@Syntax42:

Since our upgrade from 2.1RC0 to 2.1, I have been noticing a lot more Snort alerts which indicate a Trojan or adware on our network.  The instant the log entry is generated, it gets sent to my laptop which is running Dude and has a popup notification on my screen.  I have to check the state table to see which internal IP address attempted to contact the external IP in question, then check the DHCP list to determine which computer is using that IP.

The problem I'm running into is that every time, the users' computers are clean.  This is a good thing, but I'm wasting their time trying to track down something that isn't there.  Everyone, including myself, is a little more paranoid about viruses after one of our users got infected with CryptoLocker, but if false positives keep happening, I'm afraid complacency will take over again.

Is Snort just generating a lot of false positives, and if so, does anyone else get this issue? 
Am I getting the wrong internal IP when I check the state table in pfsense? 
Is there a faster or more efficient way to resolve Snort alerts to computer names or at least internal IP addresses?

You could certainly be seeing false positives, but I usually see those mostly for preprocessor-related stuff and not from text rules.

As for determining the IP address and workstation name of offending internal hosts, that can be more easily determined in a NAT environment if you run Snort on both the LAN and WAN interfaces. I do that in my home network.  Run a more generic set of rules on the WAN, and then a more rigorous set on the LAN side.  In my home network case, I just run the ET-CIARMY and some of the ET-RBN rules on the WAN side.  On the LAN side I run the malware and most of the other rules.  By placing a Snort instance on the LAN side, you will get the internal LAN IP of offenders (both internal and the external host they contacted or replied to).

The latest 2.6.0 Snort package contains icons on the Alerts and Blocked tabs that do a reverse-DNS lookup on the IP addresses to resolve the host.  The icon is the little blue exclamation point.

Bill

Syntax42

Thanks for the tips!  I will set mine up like that and it should make it easier for me to track down issues.