Node: Understand the Intent of the Alarm(s), Next: , Previous: Understand What Triggered the Alarm(s), Up: Analysis of Incidents and Alarms



Understand the Intent of the Alarm(s)

While understanding the technical signature or policy "code" that "triggered" the alarm, it is also useful to understand the reason the trigger was built.

All of these things, and any other information that can be gathered, will help in differentiating attacks from legitimate behavior. Although this process may seem tedious and time consuming in the beginning, the Bro analyst will quickly build up a substantial knowledge of known attacks. Even if the incident in question turns out to be benign, the effort to learn about the attack almost always proves useful in future investigations.

Converted Snort© Signatures

Since Snort© signatures are usually fairly well documented, one way to discover the intent of the signature is to search the web for the title of the signature using any of the common search engines (Yahoo, Google, Teoma, AltaVista, or one of the may others). For instance, a search on the MS SQL xp_cmdshell vulnerability yields ~7000 hits. One of those hits is:

     Zone-H.org * Advisories
     ... Successful exploitation of this vulnerability can enable an attacker to 
     execute commands in the system (via MS SQL xp_cmdshell function). ...
     www.zone-h.org/advisories/read/id=4243 - 17k - Cached - Similar pages
     
This web site give a fairly detailed description of the exploit and verifies that it can be used to root compromise a computer and hence, is a vulnerability of significant interest. Several other sites also give details about the signature, the attack, and other useful information.

Embedded Bro Rule

Unfortunately, most of the embedded Bro rules have not been documented. The analyst must rely on his/her own understand of network attacks to guess what the intent of the rule is. Sometimes useful comments are written into the Bro policy source.