Snort mailing list archives
RE: Portscans not displayed in ACID?
From: "Peters, Michael D." <Michael.Peters () acbl net>
Date: Fri, 23 Jan 2004 08:04:55 -0500
Here is one of my three configuration files. This one is for the LAN interface. I have other network segments that use other configuration files. At this time, aside from the IP and mac addresses, they are the same. The problems that I am having since I upgraded to version 2.1.0 from 2.0.1 are the following: 1. The portscans that snort detects and that are displayed in the alert logs are not showing up on the ACID opening page % meter. Does anyone know why from looking at my configuration? 2. Two of the three interfaces are showing up with this new version. I can sniff on the missing interface just fine. I have link status and everything physically looks good. The interface is showing up properly with the other two interfaces when I look at the running processes. Has anyone encountered problems with the new version and running multiple interfaces with multiple configurations? # var LAN_NET 172.16.0.0/16 var EXTERNAL_NET any var DNS_SERVERS [172.16.0.55/32,172.16.0.56/32] var SMTP_SERVERS 172.16.100.17 var HTTP_SERVERS 172.16.100.140 var SQL_SERVERS $LAN_NET var TELNET_SERVERS $LAN_NET var SNMP_SERVERS $LAN_NET var HTTP_PORTS 80 var HTTP_PORTS 3852 var HTTP_PORTS 18080 var HTTP_PORTS 443 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1 2.161.0/24,64.12.163.0/2 4,205.188.5.0/24,205.188.9.0/24] # var RULE_PATH ../rules/lan # preprocessor flow: stats_interval 60 hash 1 preprocessor portscan: 172.16.0.0/16 5 4 /var/snort/portscan/lan.portscan preprocessor frag2 preprocessor stream4: keepstats, detect_scans, detect_state_problems, disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_inspect: global iis_unicode_map unicode.map 1252 # preprocessor http_inspect_server: server 172.16.100.140 profile apache ports { 80 443 } preprocessor http_inspect_server: server 172.16.0.8 profile apache ports { 80 443 3852 18080 } # preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode # preprocessor flow-portscan: \ talker-sliding-scale-factor 0.50 \ talker-fixed-threshold 30 \ talker-sliding-threshold 30 \ talker-sliding-window 20 \ talker-fixed-window 30 \ scoreboard-rows-talker 30000 \ server-watchnet [172.16.0.55/32,172.16.0.56/32,172.16.0.8/32] \ server-ignore-limit 500 \ server-rows 65535 \ server-learning-time 14400 \ server-scanner-limit 500 \ scanner-sliding-window 20 \ scanner-sliding-scale-factor 0.50 \ scanner-fixed-threshold 15 \ scanner-sliding-threshold 40 \ scanner-fixed-window 15 \ scoreboard-rows-scanner 30000 \ src-ignore-net [192.168.200.0/24,192.168.201.0/24] \ dst-ignore-net [10.0.0.0/30] \ alert-mode all \ output-mode pktkludge \ tcp-penalties on # preprocessor arpspoof preprocessor arpspoof_detect_host: 172.16.0.55 00:a0:c9:56:d6:9b preprocessor arpspoof_detect_host: 172.16.0.56 00:60:94:e5:57:23 # preprocessor perfmonitor: time 60 flow events file /var/snort/performance/snort.stats pktcnt 10000 # output alert_syslog: LOG_AUTH LOG_ALERT output database: alert, mysql, user=someuser password=somepassword dbname=snort host=localhost sensor_name=LAN detail=full # include classification.config # include reference.config # include $RULE_PATH/lan-local.rules include $RULE_PATH/lan-bad-traffic.rules include $RULE_PATH/lan-exploit.rules include $RULE_PATH/lan-scan.rules include $RULE_PATH/lan-finger.rules include $RULE_PATH/lan-ftp.rules include $RULE_PATH/lan-telnet.rules include $RULE_PATH/lan-rpc.rules include $RULE_PATH/lan-rservices.rules include $RULE_PATH/lan-dos.rules include $RULE_PATH/lan-ddos.rules include $RULE_PATH/lan-dns.rules include $RULE_PATH/lan-tftp.rules include $RULE_PATH/lan-web-cgi.rules include $RULE_PATH/lan-web-coldfusion.rules include $RULE_PATH/lan-web-iis.rules include $RULE_PATH/lan-web-frontpage.rules include $RULE_PATH/lan-web-misc.rules include $RULE_PATH/lan-web-client.rules include $RULE_PATH/lan-web-php.rules include $RULE_PATH/lan-sql.rules include $RULE_PATH/lan-x11.rules include $RULE_PATH/lan-icmp.rules include $RULE_PATH/lan-netbios.rules include $RULE_PATH/lan-misc.rules include $RULE_PATH/lan-attack-responses.rules include $RULE_PATH/lan-oracle.rules include $RULE_PATH/lan-mysql.rules include $RULE_PATH/lan-snmp.rules include $RULE_PATH/lan-smtp.rules include $RULE_PATH/lan-imap.rules include $RULE_PATH/lan-pop2.rules include $RULE_PATH/lan-pop3.rules include $RULE_PATH/lan-nntp.rules include $RULE_PATH/lan-other-ids.rules include $RULE_PATH/lan-web-attacks.rules include $RULE_PATH/lan-backdoor.rules include $RULE_PATH/lan-shellcode.rules include $RULE_PATH/lan-policy.rules include $RULE_PATH/lan-porn.rules include $RULE_PATH/lan-info.rules include $RULE_PATH/lan-icmp-info.rules include $RULE_PATH/lan-virus.rules include $RULE_PATH/lan-chat.rules include $RULE_PATH/lan-multimedia.rules include $RULE_PATH/lan-p2p.rules include $RULE_PATH/lan-experimental.rules # # include threshold.conf Best regards, Michael D. Peters -----Original Message----- From: Jochen [mailto:dibo303 () gmx de] Sent: Wednesday, January 21, 2004 11:06 AM To: Peters, Michael D. Subject: Re: [Snort-users] Portscans not displayed in ACID? hi Michael,
output-mode msg \
has to be changed in
output-mode pktkludge \
for logging in stanard logging facility (your db) it's all in the README.flow-portscan. :-) Jochen
Could someone please advise me on what it takes to get portscan traffic to show up in the ACID front page bar graph? I have portscan data showing up in the current alert data just not in the opening page bar graph. For example: snort] spp\_portscan: PORTSCAN DETECTED from 68.15.238.162 (THRESHOLD 5 connections exceeded in 0 seconds) These are the configuration parameters in the snort.conf file: preprocessor flow: stats_interval 300 hash 1 preprocessor portscan: 68.16.185.128/27 5 6 /var/snort/portscan/snort.portscan preprocessor stream4: keepstats, detect_scans, detect_state_problems, disable_evasion_alerts preprocessor stream4_reassemble preprocessor flow-portscan: \ talker-sliding-scale-factor 0.50 \ talker-fixed-threshold 30 \ talker-sliding-threshold 30 \ talker-sliding-window 20 \ talker-fixed-window 30 \ scoreboard-rows-talker 30000 \ server-watchnet [68.16.185.128/27] \ server-ignore-limit 200 \ server-rows 65535 \ server-learning-time 14400 \ server-scanner-limit 4 \ scanner-sliding-window 20 \ scanner-sliding-scale-factor 0.50 \ scanner-fixed-threshold 15 \ scanner-sliding-threshold 40 \ scanner-fixed-window 15 \ scoreboard-rows-scanner 30000 \ src-ignore-net [172.16.0.0/16] \ dst-ignore-net [10.0.0.0/30] \ alert-mode once \ output-mode msg \ tcp-penalties on output alert_syslog: LOG_AUTH LOG_ALERT output database: alert, mysql, user=username password=password dbname=snort=localhost sensor_name=HOME I get /var/snort/portscan/snort.portscan logging just fine. It seems that I just have some configuration issue causing this. Any assistance would be appreciated. Best regards, Michael D. Peters ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- +++ GMX - die erste Adresse für Mail, Message, More +++ Bis 31.1.: TopMail + Digicam für nur 29 EUR http://www.gmx.net/topmail ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscans not displayed in ACID? Peters, Michael D. (Jan 21)
- <Possible follow-ups>
- RE: Portscans not displayed in ACID? Peters, Michael D. (Jan 23)