Snort mailing list archives
RE: Port scans not showing up in ACID.
From: "John Creegan" <jcreegan () questarweb com>
Date: Thu, 05 Feb 2004 12:40:39 -0600
Now THERE'S a question I never asked. Since I'm running snort on a Sun SPARC on Solaris 8, I never upgraded from 2.0.4 to 2.1 because there were users reporting problems building it on Solaris. That's recently changed so I plan to upgrade to 2.1, but I'm still running 2.0.4. Hmmm... this *could* be a little embarrassing... When you restarted, did you add the "-z" arg? You'll need it for this to work (at least for 2.0.4).
"Peters, Michael D." <Michael.Peters () acbl net> 02/05/04 12:28PM
Where did you find the information about these changes? I remember from versions prior to 2.1 where these would work but I thought they had been removed. I don't see anything in the snort.conf about it either? I put these changes in and everything started up properly. I'm waiting to see if I get things displayed properly now. Best regards, Michael D. Peters -----Original Message----- From: John Creegan [mailto:jcreegan () questarweb com] Sent: Thursday, February 05, 2004 11:02 AM To: Peters, Michael D. Subject: RE: [Snort-users] Port scans not showing up in ACID. I recommend the edits shown below: Comment out the portscan line. Add a line for the conversation preprocessor. You may want to alter the options to suit your needs. Add in a portscan2 line. Portscan2 is newer than portscan. Again, You may want to alter the options to suit your needs. I indicated new additions with "----->". Of course, you'll need to remove that indicator.
"Peters, Michael D." <Michael.Peters () acbl net> 02/05/04 09:46AM
This is what my snort.conf looks like. var HOME_NET 172.16.0.0/16 var EXTERNAL_NET any var DNS_SERVERS [172.16.0.55/32,172.16.0.56/32] var SMTP_SERVERS 172.16.0.140 var HTTP_SERVERS 172.16.0.140 var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var HTTP_PORTS 3852 var HTTP_PORTS 443 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1 2.161.0/24,64.12.163.0/2 4,205.188.5.0/24,205.188.9.0/24] var RULE_PATH ../rules preprocessor flow: stats_interval 60 hash 1 #preprocessor portscan: 172.16.0.0/16 5 4 /var/snort/portscan/lan.portscan preprocessor frag2 preprocessor stream4: keepstats, detect_scans, detect_state_problems, disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_inspect: global iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server 172.16.0.140 profile apache ports { 80 443 } preprocessor http_inspect_server: server 172.16.0.8 profile apache ports { 80 443 3852 } preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor flow-portscan: \ talker-sliding-scale-factor 0.50 \ talker-fixed-threshold 30 \ talker-sliding-threshold 30 \ talker-sliding-window 20 \ talker-fixed-window 30 \ scoreboard-rows-talker 30000 \ server-watchnet [172.16.0.0/16] \ server-ignore-limit 500 \ server-rows 65535 \ server-learning-time 14400 \ server-scanner-limit 500 \ scanner-sliding-window 20 \ scanner-sliding-scale-factor 0.50 \ scanner-fixed-threshold 15 \ scanner-sliding-threshold 40 \ scanner-fixed-window 15 \ scoreboard-rows-scanner 30000 \ src-ignore-net [10.0.0.0/30] \ dst-ignore-net [10.0.0.0/30] \ alert-mode all \ output-mode pktkludge \ tcp-penalties on preprocessor arpspoof preprocessor arpspoof_detect_host: 172.16.0.55 00:a0:c9:56:d6:9b preprocessor arpspoof_detect_host: 172.16.0.56 00:60:94:e5:57:23 -----> preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000, alert_odd_protocols -----> preprocessor portscan2: scanners_max 10000, targets_max 1024, target_limit 5, port_limit 20, timeout 60 preprocessor perfmonitor: time 60 flow events file /var/snort/performance/snort.stats pktcnt 10000 output alert_syslog: LOG_AUTH LOG_ALERT output database: alert, mysql, user=<username> password=<password> dbname=snort host=localhost sensor_name=LAN detail=full include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/policy.rules include $RULE_PATH/porn.rules include $RULE_PATH/info.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules include $RULE_PATH/chat.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules include threshold.conf Best regards, Michael D. Peters Senior Network Security Engineer -----Original Message----- From: John Creegan [mailto:jcreegan () questarweb com] Sent: Thursday, February 05, 2004 9:57 AM To: Peters, Michael D. Subject: RE: [Snort-users] Port scans not showing up in ACID. First, are you using a snort configuration file? If so, you will need to make certain that "conversation", "portscan2" (without ignorehosts for now), and stream4 preprocessor with the detect_scans option. Stop snort. Restart snort, adding the "-z" option. Wait a few minutes, check ACID, and see what happens. You won't see anything displayed on the percentage bar until at least 1% of the total traffic are portscans, but you should begin to see some "spp_portscan2: Portscan detected!" alerts pretty quickly. Once you are seeing these alerts it's time tomake some decisions about which hosts, if any, you want to ignore.
"Peters, Michael D." <Michael.Peters () acbl net> 02/05/04 08:21AM
That would be fantastic! What do you want me to do? Best regards, Michael D. Peters r -----Original Message----- From: John Creegan [mailto:jcreegan () questarweb com] Sent: Thursday, February 05, 2004 9:08 AM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Port scans not showing up in ACID. It's not ACID. I'm seeing them here. I'd be happy to go over the differences in our configurations if you like.
"Michael Steele" <michaels () winsnort com> 02/04/04 06:59PM >>>
I believe it to be problem with ACID. I wish it was being actively developed. It seems the programmer has been absent for some time, but I think he is still around, just busy doing other projects. It's free so we can't expect too much :) Maybe someone else could patch it? Kindest regards, The WINSNORT.com Management Team -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of Peters, Michael D. Sent: Wednesday, February 04, 2004 7:19 AM To: Snort-Users@Lists. Sourceforge. Net (E-mail) Subject: [Snort-users] Port scans not showing up in ACID. I have portscan traffic identified in my logs but I don't have it registered in the ACID %meter on the home page. I'm working with the current
snort
2.1.0 snapshot. Is there some threshold parameter of some
configuration
that will help display this portscan activity? Best regards, Michael D. Peters ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Port scans not showing up in ACID. Peters, Michael D. (Feb 04)
- RE: Port scans not showing up in ACID. Michael Steele (Feb 04)
- <Possible follow-ups>
- RE: Port scans not showing up in ACID. John Creegan (Feb 05)
- RE: Port scans not showing up in ACID. John Creegan (Feb 05)
- RE: Port scans not showing up in ACID. Michael Steele (Feb 05)
- RE: Port scans not showing up in ACID. John Creegan (Feb 05)
- RE: Port scans not showing up in ACID. John Creegan (Feb 05)