Snort mailing list archives

RE: Portscans not displayed in ACID?

From: "Peters, Michael D." <Michael.Peters () acbl net>
Date: Fri, 23 Jan 2004 08:04:55 -0500

Here is one of my three configuration files. This one is for the LAN
interface. I have other network segments that use other configuration files.
At this time, aside from the IP and mac addresses, they are the same.

The problems that I am having since I upgraded to version 2.1.0 from 2.0.1
are the following:

1. The portscans that snort detects and that are displayed in the alert logs
are not showing up on the ACID opening page % meter.

Does anyone know why from looking at my configuration?

2. Two of the three interfaces are showing up with this new version. I can
sniff on the missing interface just fine. I have link status and everything
physically looks good. The interface is showing up properly with the other
two interfaces when I look at the running processes.

Has anyone encountered problems with the new version and running multiple
interfaces with multiple configurations?

#
var LAN_NET 172.16.0.0/16
var EXTERNAL_NET any
var DNS_SERVERS [172.16.0.55/32,172.16.0.56/32]
var SMTP_SERVERS 172.16.100.17
var HTTP_SERVERS 172.16.100.140
var SQL_SERVERS $LAN_NET
var TELNET_SERVERS $LAN_NET
var SNMP_SERVERS $LAN_NET
var HTTP_PORTS 80
var HTTP_PORTS 3852
var HTTP_PORTS 18080
var HTTP_PORTS 443
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/2
4,205.188.5.0/24,205.188.9.0/24]
#
var RULE_PATH ../rules/lan
#
preprocessor flow: stats_interval 60 hash 1
preprocessor portscan: 172.16.0.0/16 5 4 /var/snort/portscan/lan.portscan
preprocessor frag2
preprocessor stream4: keepstats, detect_scans, detect_state_problems,
disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
#
preprocessor http_inspect_server: server 172.16.100.140 profile apache ports
{ 80 443 }
preprocessor http_inspect_server: server 172.16.0.8 profile apache ports {
80 443 3852 18080 }
#
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
#
preprocessor flow-portscan: \
        talker-sliding-scale-factor 0.50 \
        talker-fixed-threshold 30 \
        talker-sliding-threshold 30 \
        talker-sliding-window 20 \
        talker-fixed-window 30 \
        scoreboard-rows-talker 30000 \
        server-watchnet [172.16.0.55/32,172.16.0.56/32,172.16.0.8/32] \
        server-ignore-limit 500 \
        server-rows 65535 \
        server-learning-time 14400 \
        server-scanner-limit 500 \
        scanner-sliding-window 20 \
        scanner-sliding-scale-factor 0.50 \
        scanner-fixed-threshold 15 \
        scanner-sliding-threshold 40 \
        scanner-fixed-window 15 \
        scoreboard-rows-scanner 30000 \
        src-ignore-net [192.168.200.0/24,192.168.201.0/24] \
        dst-ignore-net [10.0.0.0/30] \
        alert-mode all \
        output-mode pktkludge \
        tcp-penalties on
#
preprocessor arpspoof
preprocessor arpspoof_detect_host: 172.16.0.55 00:a0:c9:56:d6:9b
preprocessor arpspoof_detect_host: 172.16.0.56 00:60:94:e5:57:23
#
preprocessor perfmonitor: time 60 flow events file
/var/snort/performance/snort.stats pktcnt 10000
#
output alert_syslog: LOG_AUTH LOG_ALERT
output database: alert, mysql, user=someuser password=somepassword
dbname=snort host=localhost sensor_name=LAN detail=full
#
include classification.config
#
include reference.config
#
include $RULE_PATH/lan-local.rules
include $RULE_PATH/lan-bad-traffic.rules
include $RULE_PATH/lan-exploit.rules
include $RULE_PATH/lan-scan.rules
include $RULE_PATH/lan-finger.rules
include $RULE_PATH/lan-ftp.rules
include $RULE_PATH/lan-telnet.rules
include $RULE_PATH/lan-rpc.rules
include $RULE_PATH/lan-rservices.rules
include $RULE_PATH/lan-dos.rules
include $RULE_PATH/lan-ddos.rules
include $RULE_PATH/lan-dns.rules
include $RULE_PATH/lan-tftp.rules
include $RULE_PATH/lan-web-cgi.rules
include $RULE_PATH/lan-web-coldfusion.rules
include $RULE_PATH/lan-web-iis.rules
include $RULE_PATH/lan-web-frontpage.rules
include $RULE_PATH/lan-web-misc.rules
include $RULE_PATH/lan-web-client.rules
include $RULE_PATH/lan-web-php.rules
include $RULE_PATH/lan-sql.rules
include $RULE_PATH/lan-x11.rules
include $RULE_PATH/lan-icmp.rules
include $RULE_PATH/lan-netbios.rules
include $RULE_PATH/lan-misc.rules
include $RULE_PATH/lan-attack-responses.rules
include $RULE_PATH/lan-oracle.rules
include $RULE_PATH/lan-mysql.rules
include $RULE_PATH/lan-snmp.rules
include $RULE_PATH/lan-smtp.rules
include $RULE_PATH/lan-imap.rules
include $RULE_PATH/lan-pop2.rules
include $RULE_PATH/lan-pop3.rules
include $RULE_PATH/lan-nntp.rules
include $RULE_PATH/lan-other-ids.rules
include $RULE_PATH/lan-web-attacks.rules
include $RULE_PATH/lan-backdoor.rules
include $RULE_PATH/lan-shellcode.rules
include $RULE_PATH/lan-policy.rules
include $RULE_PATH/lan-porn.rules
include $RULE_PATH/lan-info.rules
include $RULE_PATH/lan-icmp-info.rules
include $RULE_PATH/lan-virus.rules
include $RULE_PATH/lan-chat.rules
include $RULE_PATH/lan-multimedia.rules
include $RULE_PATH/lan-p2p.rules
include $RULE_PATH/lan-experimental.rules
#
#
include threshold.conf



Best regards,

Michael D. Peters 



-----Original Message-----
From: Jochen [mailto:dibo303 () gmx de]
Sent: Wednesday, January 21, 2004 11:06 AM
To: Peters, Michael D.
Subject: Re: [Snort-users] Portscans not displayed in ACID?


hi Michael,

        output-mode msg \

has to be changed in

        output-mode pktkludge \

for logging in stanard logging facility (your db)
it's all in the README.flow-portscan. :-)

Jochen

Could someone please advise me on what it takes to get portscan traffic to
show up in the ACID front page bar graph?

I have portscan data showing up in the current alert data just not in the
opening page bar graph.

For example:
snort] spp\_portscan: PORTSCAN DETECTED from 68.15.238.162 (THRESHOLD 5
connections exceeded in 0 seconds)
  
These are the configuration parameters in the snort.conf file:

preprocessor flow: stats_interval 300 hash 1
preprocessor portscan: 68.16.185.128/27 5 6
/var/snort/portscan/snort.portscan

preprocessor stream4: keepstats, detect_scans, detect_state_problems,
disable_evasion_alerts
preprocessor stream4_reassemble

preprocessor flow-portscan: \
        talker-sliding-scale-factor 0.50 \
        talker-fixed-threshold 30 \
        talker-sliding-threshold 30 \
        talker-sliding-window 20 \
        talker-fixed-window 30 \
        scoreboard-rows-talker 30000 \
        server-watchnet [68.16.185.128/27] \
        server-ignore-limit 200 \
        server-rows 65535 \
        server-learning-time 14400 \
        server-scanner-limit 4 \
        scanner-sliding-window 20 \
        scanner-sliding-scale-factor 0.50 \
        scanner-fixed-threshold 15 \
        scanner-sliding-threshold 40 \
        scanner-fixed-window 15 \
        scoreboard-rows-scanner 30000 \
        src-ignore-net [172.16.0.0/16] \
        dst-ignore-net [10.0.0.0/30] \
        alert-mode once \
        output-mode msg \
        tcp-penalties on

output alert_syslog: LOG_AUTH LOG_ALERT
output database: alert, mysql, user=username password=password
dbname=snort=localhost sensor_name=HOME

I get /var/snort/portscan/snort.portscan logging just fine. It seems that
I
just have some configuration issue causing this.

Any assistance would be appreciated.

Best regards,

Michael D. Peters 



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
+++ GMX - die erste Adresse für Mail, Message, More +++
Bis 31.1.: TopMail + Digicam für nur 29 EUR http://www.gmx.net/topmail


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Portscans not displayed in ACID? Peters, Michael D. (Jan 21)
- <Possible follow-ups>
- RE: Portscans not displayed in ACID? Peters, Michael D. (Jan 23)