diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:39:49 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:39:49 +0000 |
commit | a0aa2307322cd47bbf416810ac0292925e03be87 (patch) | |
tree | 37076262a026c4b48c8a0e84f44ff9187556ca35 /doc/userguide/make-sense-alerts.rst | |
parent | Initial commit. (diff) | |
download | suricata-a0aa2307322cd47bbf416810ac0292925e03be87.tar.xz suricata-a0aa2307322cd47bbf416810ac0292925e03be87.zip |
Adding upstream version 1:7.0.3.upstream/1%7.0.3
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | doc/userguide/make-sense-alerts.rst | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/doc/userguide/make-sense-alerts.rst b/doc/userguide/make-sense-alerts.rst new file mode 100644 index 0000000..819ec5e --- /dev/null +++ b/doc/userguide/make-sense-alerts.rst @@ -0,0 +1,70 @@ +Making sense out of Alerts +========================== + +When an alert happens it's important to figure out what it means. Is it +serious? Relevant? A false positive? + +To find out more about the rule that fired, it's always a good idea to +look at the actual rule. + +The first thing to look at in a rule is the description that follows +the ``msg`` keyword. Let's consider an example: :: + + msg:"ET SCAN sipscan probe"; + +The "ET" indicates the rule came from the Emerging Threats (Proofpoint) +project. "SCAN" indicates the purpose of the rule is to match on some +form of scanning. Following that, a more or less detailed description +is given. + +Most rules contain some pointers to more information in the form of +the "reference" keyword. + +Consider the following example rule: :: + + alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \ + (msg:"ET CURRENT_EVENTS Adobe 0day Shovelware"; \ + flow:established,to_server; content:"GET "; nocase; depth:4; \ + content:!"|0d 0a|Referer\:"; nocase; \ + uricontent:"/ppp/listdir.php?dir="; \ + pcre:"/\/[a-z]{2}\/[a-z]{4}01\/ppp\/listdir\.php\?dir=/U"; \ + classtype:trojan-activity; \ + reference:url,isc.sans.org/diary.html?storyid=7747; \ + reference:url,doc.emergingthreats.net/2010496; \ + reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; \ + sid:2010496; rev:2;) + +In this rule, the reference keyword indicates 3 urls to visit for more +information: :: + + isc.sans.org/diary.html?storyid=7747 + doc.emergingthreats.net/2010496 + www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe + +Some rules contain a reference like: ``"reference:cve,2009-3958;"`` should +allow you to find info about the specific CVE using your favorite +search engine. + +It's not always straight forward and sometimes not all of that +information is available publicly. Usually asking about it on the +signature support channel can be helpful. + +In :doc:`../rule-management/suricata-update` more information on the rule +sources and their documentation and support methods can be found. + +In many cases, looking at just the alert and the packet that triggered +it won't be enough to be conclusive. When using the default Eve settings +a lot of metadata will be added to the alert. + +For example, if a rule fired that indicates your web application is +attacked, looking at the metadata might reveal that the web +application replied with ``404 not found``. This will usually mean the +attack failed but not always. + +Not every protocol leads to metadata generation, so when running an +IDS engine like Suricata, it's often recommended to combine it with +full packet capture. Using tools like Evebox, Sguil or Snorby, the +full TCP session or UDP flow can be inspected. + +Obviously there is a lot more to Incidence Response, but this should +get you started. |