Time
3 hours 10 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
so to prevent issues with your squeal database, it is important to categorize your alerts and squirt with auto cat rules. How other cat rules will break your traffic out into several categories, including things I compromised L one and L two attempted access, denial of service policy violation, et cetera.
00:20
Now this allows you to set priorities on your alerts as you see fit.
00:24
Now, for example, if you know that ICMP echo requests, hitting your external firewall isn't a concern, but you still want to know when someone does it. You can classify those alerts as no action required
00:38
Now. On the other hand,
00:39
if you know you have a neck sternly facing server with a critical vulnerability, let's say Apache struts that you can't patch for two weeks. You may want to write an autocrat rule that will categorize any rule regarding Apache struts directed at the vulnerability, ill
00:57
vulnerable server as L. L one compromise.
01:00
Now let's pull up, squeal real quick and see how we conduce this.
01:11
All right, so we have squeal. Here
01:15
we come up here, we have a couple of options comments, show height, pains, et cetera.
01:22
One that we're looking for is auto cat.
01:25
All right, So there is one default rule in here that is just, uh,
01:30
looking for u R L A. It looks like
01:34
So let's create a new rule.
01:40
So status, Let's say that we're looking for
01:44
compromise l one. That's F one. So
01:48
we want status of 11.
01:52
Let's do the Apache struts. Example.
02:06
All right, let's say that our destination I p is
02:12
I don't know. Let's just say serving 99
02:19
with our signature
02:21
in this case, we want to look for any server that there any,
02:27
uh,
02:29
alert that has Apache stretch, innit?
02:31
So we want to do regular expression.
02:39
That's percent
02:42
percent, Reg E X p percent percent
02:46
and carrot.
02:54
All right, let's say that we
02:59
all right, so that that
03:00
should take care of that auto cat rule for us. Let's say create. It's given a second. Okay,
03:07
so
03:09
it isn't red for a C one.
03:13
It is our compromised level one. Now let's just create one murder ghoul.
03:19
Let's say that we know that there is a lot of scanning that goes on on our network,
03:23
and we we know that it's happening, and unless there's actually a compromise, we don't really care.
03:30
So hopefully over here we see that reconnaissance is F six. So let's create a rule for reconnaissance for scanning traffic.
03:47
Okay,
03:49
so
03:51
since we want this to be a blanket rule, we're going to ignore a sensor source. I p source Poor destination. I p et cetera, et cetera, et cetera.
03:59
Let's say our signature. We want to do a rejects here again,
04:05
Reg E X, p do and carrot,
04:15
Right. So, e t scan. When we looked over our
04:19
snort rules believe that E t scan
04:24
was on a lot of the rules that were coming through. So
04:28
putting that in should take care of all of our generic scanning traffic.
04:39
Now, if you ever go into the terminal and
04:42
run, S o stat, one of the things that you'll see is your
04:47
uncapped ago rised a rule count or an categorized alert account.
04:53
If if that number goes over the set threshold,
04:57
then the Squeal database might start having issues. If if that does start happening, then you'll want to come in here and start writing rules to categorize your traffic as it's coming in.
05:09
That should help stabilize your squeal database.
05:15
All right, so those are the basics of writing an auto Cata rule and squirt. Thanks for listening

Up Next

Security Onion

Security Onion is an open source Network Security Monitoring and log management Linux Distribution. In this course we will learn about the history, components, and architecture of the distro, and we will go over how to install and deploy single and multiple server architectures, as well as how to replay or sniff traffic.

Instructed By

Instructor Profile Image
Karl Hansen
Senior SOC Analyst
Instructor