so to prevent issues with your squeal database, it is important to categorize your alerts and squirt with auto cat rules. How other cat rules will break your traffic out into several categories, including things I compromised L one and L two attempted access, denial of service policy violation, et cetera.
Now this allows you to set priorities on your alerts as you see fit.
Now, for example, if you know that ICMP echo requests, hitting your external firewall isn't a concern, but you still want to know when someone does it. You can classify those alerts as no action required
Now. On the other hand,
if you know you have a neck sternly facing server with a critical vulnerability, let's say Apache struts that you can't patch for two weeks. You may want to write an autocrat rule that will categorize any rule regarding Apache struts directed at the vulnerability, ill
vulnerable server as L. L one compromise.
Now let's pull up, squeal real quick and see how we conduce this.
All right, so we have squeal. Here
we come up here, we have a couple of options comments, show height, pains, et cetera.
One that we're looking for is auto cat.
All right, So there is one default rule in here that is just, uh,
looking for u R L A. It looks like
So let's create a new rule.
So status, Let's say that we're looking for
compromise l one. That's F one. So
we want status of 11.
Let's do the Apache struts. Example.
All right, let's say that our destination I p is
I don't know. Let's just say serving 99
in this case, we want to look for any server that there any,
alert that has Apache stretch, innit?
So we want to do regular expression.
percent, Reg E X p percent percent
All right, let's say that we
all right, so that that
should take care of that auto cat rule for us. Let's say create. It's given a second. Okay,
it isn't red for a C one.
It is our compromised level one. Now let's just create one murder ghoul.
Let's say that we know that there is a lot of scanning that goes on on our network,
and we we know that it's happening, and unless there's actually a compromise, we don't really care.
So hopefully over here we see that reconnaissance is F six. So let's create a rule for reconnaissance for scanning traffic.
since we want this to be a blanket rule, we're going to ignore a sensor source. I p source Poor destination. I p et cetera, et cetera, et cetera.
Let's say our signature. We want to do a rejects here again,
Reg E X, p do and carrot,
Right. So, e t scan. When we looked over our
snort rules believe that E t scan
was on a lot of the rules that were coming through. So
putting that in should take care of all of our generic scanning traffic.
Now, if you ever go into the terminal and
run, S o stat, one of the things that you'll see is your
uncapped ago rised a rule count or an categorized alert account.
If if that number goes over the set threshold,
then the Squeal database might start having issues. If if that does start happening, then you'll want to come in here and start writing rules to categorize your traffic as it's coming in.
That should help stabilize your squeal database.
All right, so those are the basics of writing an auto Cata rule and squirt. Thanks for listening