• Got a snort block appear for 171.66.122.139 which is The Journal of Biological Chemistry.
    (http_inspect) UNKNOWN METHOD - 11/28/14-13:50:30
    ET INFO PDF Using CCITTFax Filter - 11/28/14-13:50:22

    The ET INFO PDF Using CCITTFax Filter was triggered by attempting to download a study paper that appeared in a Google Scholar search result, so it should be a fairly genuine pdf.

    What would be the best way to figure out if its a genuine threat or not?

    I'd like to think JBC takes their security seriously, but cant rule out something untoward.
    Is it worth downloading the PDF to examine it in an editor, and if its not a malicious link, any suggestions on how to avoid any future false positives?

    Is there any way I can inform a user when some of their web activity has triggered a block in snort?

    TIA.


  • @firewalluser:

    Got a snort block appear for 171.66.122.139 which is The Journal of Biological Chemistry.
    (http_inspect) UNKNOWN METHOD - 11/28/14-13:50:30
    ET INFO PDF Using CCITTFax Filter - 11/28/14-13:50:22

    The ET INFO PDF Using CCITTFax Filter was triggered by attempting to download a study paper that appeared in a Google Scholar search result, so it should be a fairly genuine pdf.

    What would be the best way to figure out if its a genuine threat or not?

    I'd like to think JBC takes their security seriously, but cant rule out something untoward.
    Is it worth downloading the PDF to examine it in an editor, and if its not a malicious link, any suggestions on how to avoid any future false positives?

    Is there any way I can inform a user when some of their web activity has triggered a block in snort?

    TIA.

    You need to have a Suppress List populated with the most popular "false positive" rules.  Search this sub-forum for "SUPPRESS LIST" and you will find at least two threads devoted to the issue.  An IDS is not an "install and forget" component.  It will require constant monitoring and tweaking.

    EDIT: here is one of the threads I was talking about:  https://forum.pfsense.org/index.php?topic=56267.msg300473#msg300473

    Bill


  • I agree.

    The problem is, in this instance, Adobe do not have a monopoly with the viewer market and other readers may or not be also affected by the CVS as they may or may not replicate all of Adobe's features.

    The culture of BYOD makes this hard to police, and with no control over those devices including being able to audit the software, this ET is a false positive to some users who are up to date with say Adobe, but others may still be exposed as they may not have updated their software or the non-Adobe reader has not been updated by the software company behind it.

    Any suggestions for the best real time tool to monitor the snort?

    TIA.


  • @firewalluser:

    Any suggestions for the best real time tool to monitor the snort?

    What exactly do you mean by real time monitoring of Snort?

    There are facilities using the included Barnyar2 client for sending Snort alerts to a separate SIEM such as Snorby, Security Onion, etc.  The Barnyard2 client in the package offers MySQL DB, Bro and syslog output options.

    Bill


  • I'd like to get as much info out of snort in realtime so I can parse & process the output in one of my programs.

    I can get the syslog data, but I wondered if I could get more data, like maybe access the packet data associated with the snort alert, but I'm not aware of anyway to do this in pfsense, other than doing a packet capture, but that fails after an hour or so (possibly too much in ram), so needed something more reliable.

    At the moment I have separate system collecting that data as a work around but I'd like to get rid of that box as the pfsense box already handles the same data.

    I looked briefly at Barnyard a few years back, but read somewhere its no longer supported so I didnt look any further into it, but I did note there were a few programs out there back then.

    I've just checked Google and it appears Banyard is still supported and active much to my surprise, so I will check that out again.

    Thanks.

  • Moderator


  • Looks interesting.

    Thanks!

    edit.

    If you're deploying Security Onion in production to a medium network (50Mbps - 500Mbps), you should plan on 16GB - 128GB RAM or mor

    I've got desktop here with 32Gb of ram, a couple of ssds (samsung evo 1tb)  & about 10 terrabytes of spindisks, how many devices do you think that could handle on the medium sized network or is it a suck it and see as its down to the network traffic more than anything else?

    Do you think it would impact on DB performance in any way, as its crucial access times to the db servers are maintained?

    TIA

  • Moderator

    With SO, it all depends on how many Rules you enable and how much Traffic the sensors will see. But you are starting with some decent hardware. Download the ISO and try it out…

    Here are the Hardware Requirements -
        https://code.google.com/p/security-onion/wiki/Hardware

    Google Group Forum -
        https://groups.google.com/forum/#!forum/security-onion