Configure Thresholding and Suppression Snort

Thresholding:
This feature is used to reduce the number of logged alerts for noisy rules.
This can be tuned to significantly reduce false alarms, and it can also be used to write a newer breed of rules. Thresholding commands limit the number# of times a particular event is logged during a specified time interval.
 
Edit:
#nano /etc/snort/threshold.conf
 
Format
 
The suppress configuration has two forms:
suppress \
        gen_id <gid>, sig_id <sid>

 

suppress \
        gen_id <gid>, sig_id <sid>, \
        track <by_src|by_dst>, ip <ip-list>

 

Example:

# snort: "GPL ICMP_INFO PING *NIX"
suppress gen_id 1, sig_id 2100366

 

Option Description
gen_id <gid>

Specify the generator ID of an associated rule. gen_id 0, sig_id 0 can be used to specify a "global" threshold that applies to all rules.

sig_id <sid>

Specify the signature ID of an associated rule. sig_id 0 specifies a "global" filter because it applies to all sig_ids for the given gen_id.

track by_src|by_dst

Suppress by source IP address or destination IP address. This is optional, but if present, ip must be provided as well.

ip <list>

Restrict the suppression to only source or destination IP addresses (indicated by track parameter) determined by < list >. If track is provided, ip must be provided as well.

 

#This event is generated when an attempt is made to gain access to private resources using Samba.
suppress gen_id 1, sig_id 536
#GPL SHELLCODE x86 NOOP
suppress gen_id 1, sig_id 648
#GPL SHELLCODE x86 0x90 unicode NOOP
suppress gen_id 1, sig_id 653
#This set of instructions can be used as a NOOP to pad buffers on an x86 architecture machines. 
suppress gen_id 1, sig_id 1390
#This event is generated when an attempt is made to return to a web client a file with a Class ID (CLSID) embedded in the file.
suppress gen_id 1, sig_id 8375
#This event is generated when network traffic that indicates download of executable content is being used.
suppress gen_id 1, sig_id 11192
#This event is generated when an attempt is made to exploit a known vulnerability in Safari.
suppress gen_id 1, sig_id 12286
#This event is generated when an attempt is made to exploit a known vulnerability in an ActiveX control.
suppress gen_id 1, sig_id 15147
#This rule generates events when a portable executable file is downloaded.
suppress gen_id 1, sig_id 15306
#This event is generated when obfuscated javascript containing excessive fromCharCode is detected.
suppress gen_id 1, sig_id 15362
#FILE-IDENTIFY download of executable content - x-header  -> stops windows download
suppress gen_id 1, sig_id 16313
#WEB-CLIENT Microsoft Internet Explorer userdata behavior memory corruption attempt
suppress gen_id 1, sig_id 16482
#This event is generated when an attempt is made to exploit a known vulnerability in internet security.
suppress gen_id 1, sig_id 17458
#This event is generated when an attempt is made to exploit a known vulnerability in firefox.
suppress gen_id 1, sig_id 20583
#This event is generated when an attempt is made to exploit a known vulnerability in adobe air.
suppress gen_id 1, sig_id 23098
#FILE-IDENTIFY Armadillo v1.71 packer file magic detected
suppress gen_id 1, sig_id 23256
#This event is generated when an attempt is made to exploit a known vulnerability in adobe air.
suppress gen_id 1, sig_id 24889
#ET P2P? BitTorrent? peer sync
suppress gen_id 1, sig_id 2000334
#ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
suppress gen_id 1, sig_id 2010516
#ET SHELLCODE Possible Call with No Offset TCP Shellcode
suppress gen_id 1, sig_id 2012088
#ET SHELLCODE Excessive Use of HeapLib? Objects Likely Malicious Heap Spray Attempt
suppress gen_id 1, sig_id 2013222
#ET INFO Packed Executable Download
suppress gen_id 1, sig_id 2014819
#ET INFO EXE - Served Attached HTTP
suppress gen_id 1, sig_id 2014520
#GPL SHELLCODE x86 inc ebx NOOP
suppress gen_id 1, sig_id 2101390
#GPL WEB_CLIENT PNG large colour depth download attempt
suppress gen_id 1, sig_id 2103134
#ET POLICY PE EXE or DLL Windows file download
suppress gen_id 1, sig_id 2000419
#ET POLICY Unusual number of DNS No Such Name Responses
suppress gen_id 1, sig_id 2003195
#ET POLICY Suspicious inbound to MSSQL port 1433
suppress gen_id 1, sig_id 2010935
#ET POLICY Suspicious inbound to mySQL port 3306
suppress gen_id 1, sig_id 2010937
#ET SHELLCODE Possible Call with No Offset TCP Shellcode
suppress gen_id 1, sig_id 2012086
#ET SHELLCODE Possible Call with No Offset UDP Shellcode
suppress gen_id 1, sig_id 2012087
#ET SHELLCODE Possible Call with No Offset UDP Shellcode
suppress gen_id 1, sig_id 2012089
#ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active
suppress gen_id 1, sig_id 2012141
#ET POLICY Executable served from Amazon S3
suppress gen_id 1, sig_id 2013414
#ET POLICY Outdated Windows Flash Version IE
suppress gen_id 1, sig_id 2014726
#ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
suppress gen_id 1, sig_id 2013504
#BLEEDING-EDGE RBN Known Russian Business Network Traffic - Known Trojan C&Cs (bleeding-rbn.rules)
suppress gen_id 1, sig_id 2406003
#ET RBN Known Russian Business Network Monitored Domains
suppress gen_id 1, sig_id 2406067
#ET RBN Known Russian Business Network Monitored Domains
suppress gen_id 1, sig_id 2406069
#ET TFTP Outbound TFTP Read Request -- VONAGE
suppress gen_id 1, sig_id 2008120
#ET SHELLCODE Common 0a0a0a0a Heap Spray String
suppress gen_id 1, sig_id 2012252
#ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
suppress gen_id 1, sig_id 2012758
#ET INFO EXE - OSX Disk Image Download
suppress gen_id 1, sig_id 2014518
#ET INFO PDF Using CCITTFax Filter
suppress gen_id 1, sig_id 2015561
#GPL ICMP_INFO PING *NIX
suppress gen_id 1, sig_id 2100366
#GPL ICMP_INFO
suppress gen_id 1, sig_id 2100368
#GPL SHELLCODE x86 stealth NOOP
suppress gen_id 1, sig_id 2100651
#GPL SHELLCODE x86 0xEB0C NOOP
suppress gen_id 1, sig_id 2101424
#GPL SHELLCODE x86 0x90 NOOP unicode
suppress gen_id 1, sig_id 2102314
#WEB-CLIENT libpng malformed chunk denial of service attempt
suppress gen_id 3, sig_id 14772
#(http_inspect) DOUBLE DECODING ATTACK
suppress gen_id 119, sig_id 2
#(http_inspect) BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 4
#(http_inspect) IIS UNICODE CODEPOINT ENCODING
suppress gen_id 119, sig_id 7
#(http_inspect) NON-RFC DEFINED CHAR [**]
suppress gen_id 119, sig_id 14
#(http_inspect) UNKNOWN METHOD
suppress gen_id 119, sig_id 31
#(http_inspect) SIMPLE REQUEST
suppress gen_id 119, sig_id 32
#(http_inspect) UNESCAPED SPACE IN HTTP URI
suppress gen_id 119, sig_id 33
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 2
#(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
suppress gen_id 120, sig_id 3
#(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
suppress gen_id 120, sig_id 4
#(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
suppress gen_id 120, sig_id 6
#(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
suppress gen_id 120, sig_id 8
#(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
suppress gen_id 120, sig_id 9
#(http_inspect) JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
suppress gen_id 120, sig_id 10
#(http_inspect) MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
suppress gen_id 120, sig_id 11
#(portscan) UDP PORTSWEEP
suppress gen_id 122, sig_id 19
#(portscan) UDP Filtered Portscan
suppress gen_id 122, sig_id 21
#(portscan) UDP Filtered Decoy Portscan
suppress gen_id 122, sig_id 22
#(portscan) UDP PORTSWEEP FILTERED
suppress gen_id 122, sig_id 23
#(portscan) ICMP PORTSWEEP FILTERED
suppress gen_id 122, sig_id 26
#(spp_frag3) Bogus fragmentation packet. Possible BSD attack
suppress gen_id 123, sig_id 10
#(smtp) Attempted response buffer overflow: 1448 chars
suppress gen_id 124, sig_id 3
#(ftp_telnet) Invalid FTP Command
suppress gen_id 125, sig_id 2
#(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
suppress gen_id 137, sig_id 1
##SENSITIVE DATA DISABLE##
#Credit Card Numbers
suppress gen_id 138, sig_id 2
#U.S. Social Security Numbers (with dashes)
suppress gen_id 138, sig_id 3
#U.S. Social Security Numbers (w/out dashes)
suppress gen_id 138, sig_id 4
#Email Addresses
suppress gen_id 138, sig_id 5
#U.S. Phone Numbers
suppress gen_id 138, sig_id 6
#(spp_sip) Empty request URI
suppress gen_id 140, sig_id 2
#(spp_sip) URI is too long
suppress gen_id 140, sig_id 3
#(spp_sip) Maximum dialogs within a session reached
suppress gen_id 140, sig_id 27
#(IMAP) Unknown IMAP4 command
suppress gen_id 141, sig_id 1
#(IMAP) Unknown IMAP4 response
suppress gen_id 141, sig_id 2
###
#ET POLICY PE EXE or DLL Windows file download HTTP
suppress gen_id 1, sig_id 2018959
#ET POLICY HTTP traffic on port 443 (POST)
suppress gen_id 1, sig_id 2013926
#ET POLICY Data POST to an image file (gif)
suppress gen_id 1, sig_id 2010066
#ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
suppress gen_id 1, sig_id 2016150
#ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
suppress gen_id 1, sig_id 2016149
#ET POLICY Dropbox.com Offsite File Backup in Use
suppress gen_id 1, sig_id 2012647
#ET POLICY Logmein.com/Join.me SSL Remote Control Access
suppress gen_id 1, sig_id 2014756
#ET POLICY Pandora Usage
suppress gen_id 1, sig_id 2014997
#ET POLICY iTunes User Agent
suppress gen_id 1, sig_id 2002878
#ET POLICY Windows-Based OpenSSL Tunnel Outbound
suppress gen_id 1, sig_id 2012078
#ET POLICY Executable and linking format (ELF) file download
suppress gen_id 1, sig_id 2000418
#ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)
suppress gen_id 1, sig_id 2009801
#ET POLICY TeamViewer Dyngate User-Agent
suppress gen_id 1, sig_id 2009475
#ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection
suppress gen_id 1, sig_id 2009020
#ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection
suppress gen_id 1, sig_id 2008989
#ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection
suppress gen_id 1, sig_id 2008988
#ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection
suppress gen_id 1, sig_id 2008987
#ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection
suppress gen_id 1, sig_id 2008986
#ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection
suppress gen_id 1, sig_id 2008985
#ET POLICY Logmein.com Host List Download
suppress gen_id 1, sig_id 2007765
#ET POLICY Logmein.com Update Activity
suppress gen_id 1, sig_id 2007766
#ET POLICY Microsoft TEREDO IPv6 tunneling
suppress gen_id 1, sig_id 2003155
#ET POLICY Netflix On-demand User-Agent
suppress gen_id 1, sig_id 2007638
#ET POLICY TeamViewer Keep-alive outbound
suppress gen_id 1, sig_id 2008794
#ET POLICY TeamViewer Keep-alive inbound
suppress gen_id 1, sig_id 2008795
#APP-DETECT TeamViewer remote administration tool outbound connection attempt
suppress gen_id 1, sig_id 34463
#ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use
suppress gen_id 1, sig_id 2020565
#ET INFO JAVA - ClassID
suppress gen_id 1, sig_id 2016360
#ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain
suppress gen_id 1, sig_id 2013097
#ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
suppress gen_id 1, sig_id 2016538
#ET P2P Bittorrent P2P Client User-Agent (Deluge 1.x.x)
suppress gen_id 1, sig_id 2011704
#ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
suppress gen_id 1, sig_id 2016870
#ET POLICY Vulnerable Java Version 1.6.x Detected
suppress gen_id 1, sig_id 2011582
#ET POLICY Vulnerable Java Version 1.8.x Detected
suppress gen_id 1, sig_id 2019401
#ET MALWARE Adware.iBryte.B Install
suppress gen_id 1, sig_id 2018194
#ET POLICY HTTP traffic on port 443 (HEAD)
suppress gen_id 1, sig_id 2013927
#ET POLICY Possible IP Check api.ipify.org
suppress gen_id 1, sig_id 2019512
#ET POLICY BingBar ToolBar User-Agent (BingBar)
suppress gen_id 1, sig_id 2013715
#ET POLICY User-Agent (Launcher)
suppress gen_id 1, sig_id 2010645
#ET INFO JAVA - document.createElement applet
suppress gen_id 1, sig_id 2015707

##OPTIONAL RULES BELOW##
##UNCOMMENT SUPPRESS LINE TO ENABLE##

#(ftp_telnet) FTP bounce attempt
#suppress gen_id 125, sig_id 8
#ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 647
#suppress gen_id 1, sig_id 2523293
#ET TOR Known Tor Exit Node UDP Traffic group 89
#suppress gen_id 1, sig_id 2520177
#ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 89
#suppress gen_id 1, sig_id 2522177
#ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely Kazy
#suppress gen_id 1, sig_id 2014703
#ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set - Likely Kazy
#suppress gen_id 1, sig_id 2014702
#FILE-PDF Adobe Acrobat Reader incomplete JP2K image geometry exploit attempt
#suppress gen_id 1, sig_id 25459
#ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
#suppress gen_id 1, sig_id 2010525
#ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack
#suppress gen_id 1, sig_id 2019416
#ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
#suppress gen_id 1, sig_id 2007695
#ET SCAN Potential SSH Scan OUTBOUND
#suppress gen_id 1, sig_id 2003068
#ET MALWARE W32/OpenCandy Adware Checkin
#suppress gen_id 1, sig_id 2014122
#ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
#suppress gen_id 1, sig_id 2015633
#ET INFO DYNAMIC_DNS HTTP Request to Abused Domain *.mooo.com
#suppress gen_id 1, sig_id 2015634
#ET INFO DYNAMIC_DNS HTTP Request to a no-ip Domain
#suppress gen_id 1, sig_id 2013744
#ET INFO DYNAMIC_DNS HTTP Request to a dns-stuff.com Domain *.dns-stuff.com
#suppress gen_id 1, sig_id 2014867
#ET INFO DYNAMIC_DNS Query to dns-stuff.com Domain *.dns-stuff.com
#suppress gen_id 1, sig_id 2014868

Credits

Suppress ListSuppress ListSuppress List

Linux Show List Of Network Cards

 
You can use any one of the following command to list network cards installed under Linux operating systems.
Please note that the ifconfig and ip commands will also display interfaces information about vpn, loopback, and other configured interfaces.
 
  1. lspci : List all PCI devices.
  2. lshw : List all hardware.
  3. dmidecode : List all hardware data from BIOS.
  4. ifconfig : Outdated network config utility.
  5. ip : Recommended new network config utility.
 
lspci 
Type the following command:
# lspci | egrep -i –color 'network|ethernet'
 
lshw 
The lshw command can extract detailed information on the hardware configuration of the machine including network cards. Type the following command:
# lshw -class network
 
dmidecode 
Getting HW information about BIOS.
# dmidecode -t bios
Getting HW information about system.
# dmidecode -t system
Getting HW information about baseboard.
# dmidecode -t baseboard
Getting HW information about chassis.
# dmidecode -t chassis
 
OR
 
# dmidecode -t cashe
# dmidecode -t processor
# dmidecode -t connector
# dmidecode -t slot
 
ifconfig and ip command
To see all configured network devices, enter:
# ifconfig -a
 
OR
# ip link show
 
OR
# ip a
 
/proc/net/dev
The dev pseudo-file contains network device status information. This gives the number of received and sent packets, the number of errors and collisions and other basic statistics.
$ cat /proc/net/dev

Cronjob to check and restart service if dead

For check and restart services, if they are inactive/dead.
 
$ nano service_ck.sh
 
#!/bin/bash
STATUS=$(systemctl is-active snort)
# Most services will return something like "active" if they are in fact "active"
test "$STATUS" = "active" || systemctl restart snort
 
Change file permissions:
$chmod +x service_ck.sh
  
Update your crontab:
$sudo crontab -e
 
add:
 
# min   hour    day month   dow cmd
*/1 *   *   *   *   /path/to/service_ck.sh
  
or 
 
#every minute:
* * * * * /path/to/service_ck.sh
  
 
 

How to switch to root using su on FreeBSD

How can a "normal" user get root rights, or actually switch to root account using the su command when working under FreeBSD?

To do that, that "normal" user needs to be in wheel group. So this command will enable a given user to be able to switch to root account with the command "su – root" or just "su – "

pw groupmod wheel -m [user]

Now that user will be able to become root. This is a good security feature that FreeBSD has, and that I did not know.

 

Credits

Installation of NRPE agent on Debian and Ubuntu

This article intends to give the reader a brief introduction on how to install and configure the EPEL upstream version of the NRPE agent on Debian Linux 6, 7, 8 and Ubuntu 16.04.2 LTS.

Historically, OP5 has compiled and packaged the NRPE agent for a large number of Linux distributions, but as per Q2 2014 we stopped doing this since it required a lot of maintenance and time. More information on this decision can be found here: https://www.op5.com/blog/blogs/op5-developers-blog/deprecation-notices-q2-2014/

Note that this article is intended for Debian 6, 7, 8 and Ubuntu 16.04 client hosts, and that these steps never should be performed on an OP5 Monitor server.

 

1. Install the NRPE package together with plugins:

# apt-get install nagios-nrpe-server nagios-plugins-basic

2. Create a new file called /etc/nagios/nrpe.d/op5_commands.cfg containing the following information:

These paths to the plugins should match the paths to the installed plugins in step 1.

################################################################################
#
# op5-nrpe command configuration file
#
# COMMAND DEFINITIONS
# Syntax:
#       command[<command_name>]=<command_line>
#
command[users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
command[load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[swap]=/usr/lib/nagios/plugins/check_swap -w 20% -c 10%
command[root_disk]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p / -m
command[usr_disk]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /usr -m
command[var_disk]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /var -m
command[zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
command[total_procs]=/usr/lib/nagios/plugins/check_procs -w 190 -c 200
command[proc_named]=/usr/lib/nagios/plugins/check_procs -w 1: -c 1:2 -C named
command[proc_crond]=/usr/lib/nagios/plugins/check_procs -w 1: -c 1:5 -C cron
command[proc_syslogd]=/usr/lib/nagios/plugins/check_procs -w 1: -c 1:2 -C syslog-ng
command[proc_rsyslogd]=/usr/lib/nagios/plugins/check_procs -w 1: -c 1:2 -C rsyslogd
 
 

3. Now edit /etc/nagios/nrpe.cfg and add your Monitor server(s) address(es) to the allowed_hosts parameter as a comma-separated list in the appropriate section:

allowed_hosts=127.0.0.1,10.0.0.10,10.0.0.11

4. Restart the nrpe agent on the host:


# /etc/init.d/nagios-nrpe-server restart

Now you can add the services via the function "Add UNIX client services" when adding a host in op5 Monitor.

If the host is behind a firewall, or you have enabled firewall software on the host, you need to open for incoming traffic on TCP port 5666.

 

Credits

FreeBSD Using the Ports Collection

The Ports Collection is a set of Makefiles, patches, and description files. Each set of these files is used to compile and install an individual application on FreeBSD, and is called a port.

By default, the Ports Collection itself is stored as a subdirectory of /usr/ports.

Before an application can be compiled using a port, the Ports Collection must first be installed. If it was not installed during the installation of FreeBSD, use one of the following methods to install it:

Portsnap Method:

The base system of FreeBSD includes Portsnap. This is a fast and user-friendly tool for retrieving the Ports Collection and is the recommended choice for most users. This utility connects to a FreeBSD site, verifies the secure key, and downloads a new copy of the Ports Collection. The key is used to verify the integrity of all downloaded files.

  1. To download a compressed snapshot of the Ports Collection into /var/db/portsnap:

    # portsnap fetch
  2. When running Portsnap for the first time, extract the snapshot into /usr/ports:

    # portsnap extract
  3. After the first use of Portsnap has been completed as shown above, /usr/ports can be updated as needed by running:

    # portsnap fetch
    # portsnap update

    When using fetch, the extract or the update operation may be run consecutively, like so:

    # portsnap fetch update

 

Credits

Install FreeBSD kernel source after installed freebsd

Install FreeBSD kernel source files, but i have already installed freebsd.

The right way to manual installed kernel source:

Download the tar file that matches the version you installed.
i386: ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/9.1-RELEASE/src.txz
amd64:ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/9.1-RELEASE/src.txz

amd64:ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/11.0-RELEASE/src.txz

fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/9.1-RELEASE/src.txz

Unpack the archive to /usr/src:

tar -C / -xvzf src.txz

 

Credits