9.5 Autocat Rules Management

00:00

so to prevent issues with your squeal database, it is important to categorize your alerts and squirt with auto cat rules. How other cat rules will break your traffic out into several categories, including things I compromised L one and L two attempted access, denial of service policy violation, et cetera.

00:20

Now this allows you to set priorities on your alerts as you see fit.

00:24

Now, for example, if you know that ICMP echo requests, hitting your external firewall isn't a concern, but you still want to know when someone does it. You can classify those alerts as no action required

00:38

Now. On the other hand,

00:39

if you know you have a neck sternly facing server with a critical vulnerability, let's say Apache struts that you can't patch for two weeks. You may want to write an autocrat rule that will categorize any rule regarding Apache struts directed at the vulnerability, ill

00:57

vulnerable server as L. L one compromise.

01:00

Now let's pull up, squeal real quick and see how we conduce this.

01:11

All right, so we have squeal. Here

01:15

we come up here, we have a couple of options comments, show height, pains, et cetera.

01:22

One that we're looking for is auto cat.

01:25

All right, So there is one default rule in here that is just, uh,

01:30

looking for u R L A. It looks like

01:34

So let's create a new rule.

01:40

So status, Let's say that we're looking for

01:44

compromise l one. That's F one. So

01:48

we want status of 11.

01:52

Let's do the Apache struts. Example.

02:06

All right, let's say that our destination I p is

02:12

I don't know. Let's just say serving 99

02:19

with our signature

02:21

in this case, we want to look for any server that there any,

02:27

uh,

02:29

alert that has Apache stretch, innit?

02:31

So we want to do regular expression.

02:39

That's percent

02:42

percent, Reg E X p percent percent

02:46

and carrot.

02:54

All right, let's say that we

02:59

all right, so that that

03:00

should take care of that auto cat rule for us. Let's say create. It's given a second. Okay,

03:07

so

03:09

it isn't red for a C one.

03:13

It is our compromised level one. Now let's just create one murder ghoul.

03:19

Let's say that we know that there is a lot of scanning that goes on on our network,

03:23

and we we know that it's happening, and unless there's actually a compromise, we don't really care.

03:30

So hopefully over here we see that reconnaissance is F six. So let's create a rule for reconnaissance for scanning traffic.

03:47

Okay,

03:49

so

03:51

since we want this to be a blanket rule, we're going to ignore a sensor source. I p source Poor destination. I p et cetera, et cetera, et cetera.

03:59

Let's say our signature. We want to do a rejects here again,

04:05

Reg E X, p do and carrot,

04:15

Right. So, e t scan. When we looked over our

04:19

snort rules believe that E t scan

04:24

was on a lot of the rules that were coming through. So

04:28

putting that in should take care of all of our generic scanning traffic.

04:39

Now, if you ever go into the terminal and

04:42

run, S o stat, one of the things that you'll see is your

04:47

uncapped ago rised a rule count or an categorized alert account.

04:53

If if that number goes over the set threshold,

04:57

then the Squeal database might start having issues. If if that does start happening, then you'll want to come in here and start writing rules to categorize your traffic as it's coming in.

05:09

That should help stabilize your squeal database.