Snort mailing list archives
Re: Unified Logging - BASE - Portscans
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 26 Jul 2011 20:25:55 -0600
Extremely curious! Can you: diff the two portscan files to see if they are different? That's all I got...unless BASE reads portscan data from the db, and snort puts in data into the db differently then barnyard2, then I am TOTALLY at a loss..wild! Thanks for keeping on this. James On 7/26/11 8:21 PM, "Michael Steele" <michaels () winsnort com> wrote:
James, Ok, I restarted two completely separate instances, and they are running simultaneously: VM1: Snort / MySQL / BASE / Unified Logging VM2: Snort / MySQL / BASE / Output Database Logging I am now receiving portscans into the portscan.log file on each VM. VM2 is the only instance that displays the portscans in the BASE console. VM1 is configured with Unified2 logging and is receiving portscans into the portscan.log file but BASE is not processing them. I'm guessing someone needs to jump in here that has some knowledge of how BASE processes the portscans in order to find out why portscans are being logged into the portscan.log file, but not processed when Unified2 logging is used. Kindest regards, Michael... -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Monday, July 25, 2011 10:28 PM To: Michael Steele; Snort Subject: Re: [Snort-users] Unified Logging - BASE - Portscans Done and done...nmaped from another netblock I control...sanitized output. Time: 07/25-20:25:10.421362 event_id: 1 netblock -> external.ip (portscan) TCP Portscan Priority Count: 5 Connection Count: 59 IP Count: 1 Scanner IP Range: netblock ip range Port/Proto Count: 62 Port/Proto Range: 21:55600 My output lines in snort.conf: output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast: snortalert.fast output log_tcpdump: snort.pcap output unified2: filename snortalert.unified Base still doesn't seem to be able to read it though, which is kind of a drag (even after changing perms to 0644). James On 7/25/11 4:45 PM, "Michael Steele" <michaels () winsnort com> wrote:James, My portscan.log is 0 bytes. If I turn unified logging off, and turn the output database plugin on, the portscan.log file will populated with portscan alerts. This is strange, so you have unified logging turned on and you are receiving data into the portscan.log file? Can you verify that it's really working by stopping the snort service deleting the file and restarting the snort service to see if alerts will continue to populate the portscan .log file? Kindest regards, Michael... -----Original Message----- From: Lay, James [mailto:james.lay () wincofoods com] Sent: Monday, July 25, 2011 6:00 PM To: Michael Steele; snort-users () lists sourceforge net Subject: RE: [Snort-users] Unified Logging - BASE - Portscans Hi Michael, Now that's odd...my sfportscan line: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } logfile { portscan.log } And a tail of my portscan.log: Time: 07/25-06:37:31.148528 event_id: 750 92.126.55.42 -> external.ip (portscan) UDP Portscan Priority Count: 45 Connection Count: 86 IP Count: 5 Scanner IP Range: 74.50.52.136:92.126.55.42 Port/Proto Count: 5 Port/Proto Range: 6881:44898 I'm betting this is a different format from 2009's sfportscan? I dunno :( James-----Original Message----- From: Michael Steele [mailto:michaels () winsnort com] Sent: Monday, July 25, 2011 3:23 PM To: Lay, James; snort-users () lists sourceforge net Subject: RE: [Snort-users] Unified Logging - BASE - Portscans James, Thanks for taking a look. I know there a LOT of users on all platformsstillusing BASE as their console. I was talking to Jason and he tells methatwhen unified2 logging is used, all alerts go into the unified logfile, andI'm assuming that includes portscans. Seems someone would have came up with a solution to view portscans intheBASE console using unified logging. The below is used in order for BASE to grab the portscans, at least it worked with 'output database': preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level{ low} logfile { portscan.log } When the above ' preprocessor sfportscan:' is used with unifiedlogging allit does is create the portscan.log file and never injects portscansinto thelog file. I'm not even real sure if the ' preprocessor sfportscan:' is evenneededusing unified logging method, and I'm not real sure how to turnportscans onwnen using unified2 logging: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level{ low} And will the above log portscans to the unified log file? Kindest regards, Michael... -----Original Message----- From: Lay, James [mailto:james.lay () wincofoods com] Sent: Monday, July 25, 2011 3:29 PM To: Michael Steele; snort-users () lists sourceforge net Subject: Re: [Snort-users] Unified Logging - BASE - Portscans-----Original Message----- From: Michael Steele [mailto:michaels () winsnort com] Sent: Friday, July 22, 2011 9:13 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Unified Logging - BASE - Portscans I noticed that moving from output database to unified logging thatportscansare no longer displayed in the BASE console. Is there a solution to get this feature back to working in BASE? Kindest regards, Michael...Michael, FWIW I tried in vain to get this to fly at home...I have the portscan.log file being created as well as pointing to the right spotinbase_conf.php, but nothing shows up. I suspect it's a difference inthefile format from the time BASE was made. I'm sure an enterprisingsoulcould make the mods to the php files, but that wouldn't be me ;) Fornow Ido without portscan info...BASE gives me what I need without. James----------------------------------------------------------------------- - ------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual propertythat hasbeen used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move datatothe right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation----------------------------------------------------------------------- --- ---- Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation-------------------------------------------------------------------------- -- -- Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Unified Logging - BASE - Portscans Michael Steele (Jul 22)
- Re: Unified Logging - BASE - Portscans Lay, James (Jul 25)
- Re: Unified Logging - BASE - Portscans Michael Steele (Jul 25)
- Re: Unified Logging - BASE - Portscans Lay, James (Jul 25)
- Re: Unified Logging - BASE - Portscans Michael Steele (Jul 25)
- Re: Unified Logging - BASE - Portscans James Lay (Jul 25)
- Re: Unified Logging - BASE - Portscans Michael Steele (Jul 26)
- Re: Unified Logging - BASE - Portscans James Lay (Jul 26)
- Re: Unified Logging - BASE - Portscans Michael Steele (Jul 26)
- Re: Unified Logging - BASE - Portscans Michael Steele (Jul 27)
- Barnyard2 not inputting portscans (was Unified Logging - BASE - Portscans) James Lay (Jul 27)
- Re: Barnyard2 not inputting portscans (was Unified Logging - BASE - Portscans) beenph (Jul 27)
- Re: Barnyard2 not inputting portscans (was Unified Logging - BASE - Portscans) James Lay (Jul 27)
- Re: Barnyard2 not inputting portscans (was Unified Logging - BASE - Portscans) beenph (Jul 27)
- Re: Unified Logging - BASE - Portscans Michael Steele (Jul 25)
- Re: Barnyard2 not inputting portscans (was Unified Logging - BASE - Portscans) James Lay (Jul 27)
- Re: Barnyard2 not inputting portscans (was Unified Logging - BASE - Portscans) beenph (Jul 27)
- Re: Unified Logging - BASE - Portscans Lay, James (Jul 25)
- Re: Unified Logging - BASE - Portscans Jason Brvenik (Jul 30)