Snort mailing list archives
RE: Tcpdump, alerts and portscans
From: "Jason Lewis" <jlewis () jasonlewis net>
Date: Mon, 25 Jun 2001 18:58:33 -0400
That is exactly what I am doing. Here is my sensor command line. snort -A full -b -c rules.conf -d -D -e -h 192.168.0.0/24 -i eth0 -l /var/log/snort/snort.log Here is my master console command line. This reads in the tcpdump files from the above sensor. /usr/local/bin/snort -u snort -g snort -d -c /etc/snort/snort.conf -r /var/log/snort/snort.log It has been working well. Are there any switches I am missing that might make things better? Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Monday, June 25, 2001 6:48 PM To: Jason Lewis Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Tcpdump, alerts and portscans On Mon, Jun 25, 2001 at 02:46:19PM -0400, Jason Lewis wrote:
Yeah, I thought I had solved it. I was using -A full on the command line and that overrides the config file. But, portscans are not making it into ACID. Couldn't a replay do the same thing on the tcpdump file? I mean doesn't
it
seem possible that a processor could look at the tcpdump file and store
the
same info and make the same conclusions about connections?
If you have a full tcpdump of all packets on your net, then you can do a post process using snort with the output database plugin enabled and get the portscans in acid along with the alerts. (the alerts will have complete ip/proto/data, the portscans will be summary info with no associated packet data.
Maybe I can log portscans to a file and then insert those into ACID? It doesn't look like there is anything fancy happening with portscans when
they
are put into ACID normally? Does that sound like it might work?
In my circumstance, gige feed, over 500 million packets a day, and the fact that we are a national lab(average 400,000 scans a day); I've decided to leave the scans in the scan file, and summarize them out of band so to speak. Also, what's nice about acid is the complete breakout of the various layers of protocol. The current implementation of portscan does not provide that kind of data. Acid will take the alerts from portscan and put them in a bucket, but there is not a "packet" to go with it. At least it used to be that way.
Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Phil Wood Sent: Monday, June 25, 2001 10:41 AM To: Jason Lewis Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Tcpdump, alerts and portscans I think there is more to it than that. The -A full only means that the entire packet that caused the alert is decoded. The -b option will write any packet to a pcap file that was found by a snort RULE. However, the portscan preprocessor is accumulating information in memory which can lead to the conclusion that a scan is taking place. It will format alert type messages and pass them to the output processor, but not log (pcap style) the packets that caused it to come to that conclusion. Also, it will generate a file with a timestamp, source host/port and destination host/port for packet. But, this is not something that you can replay into snort On Mon, Jun 25, 2001 at 03:01:50AM -0400, Jason Lewis wrote:So, I wake up at 2:30am and realize what the problem is. A case of lackofsleep and tunnel vision. I somehow missed the -A full on the command
line
for the instance of snort reading the tcpdump file. Sometimes just writing it down and letting it bounce around in your
brain
isthe thing to do. Thanks for listening. ;) Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jason Lewis Sent: Sunday, June 24, 2001 10:40 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Tcpdump, alerts and portscans Maybe I have been looking at this too long and I am not seeing theobvious.Or, maybe I made an assumption about tcpdump. I am replaying tcpdump files with snort and putting the info into ACID.
I
am not seeing any portscans in ACID after the replay. Is this normal?
Is
it just a configuration setting I have overlooked? I thought tcpdump
held
all the packet info and snort could replay it and identify portscans. Wrong? On the box that is replaying the tcpdump files, I have the following: output database: log, mysql, dbname=snort_log user=snort host=localhost password=abc123 output database: alert, mysql, dbname=snort_log user=snort
host=localhost
password=abc123 What am I missing? Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tcpdump, alerts and portscans Jason Lewis (Jun 24)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Erik Fichtner (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Erik Fichtner (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Martin Roesch (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Snort Install Doc Jason Lewis (Jun 25)
- RE: Snort Install Doc Stefan Dens (Jun 27)
- RE: Snort Install Doc Jason Lewis (Jun 27)