Thursday, August 2, 2012

Honeypot Rule Maintenance - autocat

I haven't received an alert about anyone successfully logging in, so I checked in on the honeypot. I opened the Sguil client and saw thousands of alerts, mostly all of them being scans. I found that really boring to look at. I don't want to see them in my Sguil client because I'm not going to take any action on it. I will only be taking action when there is a successful compromise; however, I will want to know about the intruder's reconnaissance and scanning techniques after they have succeeded. I chose to use the autocat feature in Sguil. This feature will continue to log all the alerts generated by the Snort IDS and the Emerging Threats ruleset to the database, but it will not show up in the console. Later, I will perform queries in the Sguil client against the database and I will be able to see what other rules the attacker triggered.

The file is located at /etc/nsm/securityonion/autocat.conf and I just edited it with my favorite text editor, "vi". The format is described in the autocat.conf file:

#   <erase time>||<sensorName>||<src_ip>||<src_port>||<dst_ip>||<dst_port>||<proto>||<sig msg>||<cat value>

The following autocat entries were added because they were not indicative of a compromise and they had a high count. The autocat.conf file understands regular expressions so you'll see at the very last line, I chose to autocat every signature that beings with "ET SCAN".

none||ANY||ANY||ANY||ANY||ANY||ANY||ET POLICY MS Remote Desktop Administrator Login Request||1
none||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^ET COMPROMISED Known Compromised or Hostile Host Traffic TCP||1
none||ANY||ANY||ANY||ANY||ANY||ANY||%%REGEXP%%^ET RBN Known Russian Business Network IP TCP||1
none||ANY||ANY||ANY||ANY||ANY||ANY||ET DROP Dshield Block Listed Source||1
none||ANY||ANY||ANY||ANY||ANY||ANY||ET POLICY RDP connection request||1
none||ANY||ANY||ANY||ANY||ANY||ANY||ET POLICY RDP disconnect request||1
none||ANY||ANY||ANY||ANY||ANY||ANY||ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt||1
none||ANY||ANY||ANY||ANY||ANY||ANY||ET TROJAN MS Terminal Server User A Login, possible Morto inbound||1

After saving the file, don't forget to:

$ nsm_server_ps-restart

(or kill -1 the lowest sguild PID)