Snort mailing list archives
Re: Problem with using 2 sensors
From: Kevin Ross <kevross33 () googlemail com>
Date: Sat, 8 Oct 2011 20:57:32 +0100
1) Yes. What to do is install MYSQL on one of them and point the other at it 2) If you are in production networks have 2 network cards. Have one which is sniffing the network with a spanned/mirrored port on the switch with no IP and have another network card with an IP address assigned. In production generally sensors will be all over the place so you mange remotely. Use firewalls to control access (in this instance say you have a 10.X.X.X network (change for IPs, interface etc). Something like this would work well for you and provide better logging. (Do iptables -F to flush firewall, iptables -L to view what it is currently). If you flush and once you are happy with these settings that you have them right (for management interfaces, networks etc) do /etc/init.d/iptables save or whatever it is for your system (I assume Linux though use firewall on whatever system you are using). # Accept established connections iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # EXPLICIT LOG AND DROP FOR FORWARD AND INPUT CHAINS iptables -A INPUT -j LOG --log-prefix "DROP " --log-tcp-options --log-ip-options iptables -A INPUT -j DROP iptables -A FORWARD -j LOG --log-prefix "DROP " --log-tcp-options --log-ip-options iptables -A FORWARD -j DROP # ALLOW LOOPBACK TRAFFIC iptables -I INPUT 1 -i lo -j ACCEPT iptables -I OUTPUT 1 -o lo -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT # Allows Access for Management/Database (you can instead of whole network do IT network, management IPs or whatever). I suggest HTTPS for BASE, SSH for management and then your mysql access. # SSH iptables -I INPUT 1 -s 10.0.0.0/8 -p tcp --destination-port 22 -j ACCEPT # ALLOW ACCESS FOR SSL FOR BASE iptables -I INPUT 1 -s 10.0.0.0/8 -p tcp --destination-port 443 -j ACCEPT # ALLOW MYSQL ACCESS FOR YOUR SENSOR/S iptables -I INPUT 1 -s 10.SPECIFIC -p tcp --destination-port 3306 -j ACCEPT # SETUP BASIC PORTSCAN DETECTION iptables -N PORTSCAN-LOG iptables -A PORTSCAN-LOG -m limit --limit 3/minute -j LOG --log-level warning --log-prefix "PORTSCAN: " --log-tcp-options --log-ip-options iptables -A PORTSCAN-LOG -j DROP iptables -N PORTSCAN iptables -I INPUT 1 -j PORTSCAN iptables -A PORTSCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -j PORTSCAN-LOG iptables -A PORTSCAN -p tcp --tcp-flags SYN,RST SYN,RST -j PORTSCAN-LOG iptables -A PORTSCAN -p tcp --tcp-flags ACK,FIN FIN -j PORTSCAN-LOG iptables -A PORTSCAN -p tcp --tcp-flags ACK,URG URG -j PORTSCAN-LOG iptables -A PORTSCAN -p tcp --tcp-flags ACK,PSH PSH -j PORTSCAN-LOG iptables -A PORTSCAN -p tcp --tcp-flags FIN,RST FIN,RST -j PORTSCAN-LOG iptables -A PORTSCAN -p tcp --tcp-flags ALL NONE -j PORTSCAN-LOG iptables -A PORTSCAN -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j PORTSCAN-LOG # Install ossec for local hids to log and protect system (you can use blocking and then whitelist your internal network) http://www.ossec.net/ 3) Snort should output unified2. output unified2: filename snort.log, limit 128, mpls_event_types, vlan_event_types Barnyard2 should be something like: output database: log, mysql, user=snort password=YOUR_PASSWORD dbname=snort host=localhost # Use these features (make sure you have u2spewfoo and stuff from the install tool folder to actually use this data). This is handly for instance say you had an alert for a web exploit but weren't sure you could use this to see what the host and URI was to help find out if it was bad. Suricata also has extensive HTTP logging for alerts. ( http://www.openinfosecfoundation.org/index.php/downloads): http://blog.snort.org/2011/09/snort-291-http-and-smtp-logging.html Generally it depends on the alert. With the recommended settings if you get something like a HTTP web exploit you should expect to see all the packet, if it is a scan or connection you will only see IP addresses, Flags etc. 4) use emergingthreats rules, especially ip lists (botnet cncs, RBN, compromised etc) and the trojan, malware, user-agents, current event sigs at least. On 8 October 2011 18:03, Mike Boeckeler <boeckelr () gmail com> wrote:
Hi Kev, I'm glad that I asked that question, but unfortunately it leads to more questions: 1) Just so I know that we are on the same page....will doing all of this allow me to successfully use 2 sensors...with one MySQL database and one Base install? 2) Second, I was always under the impression that when setting up a Snort sensor, in order to keep it stealthy you do not assign it an ip address. If that is the case, then how do I do what you suggest? I mean, if I set up eth1 as follows: "ifconfig eth1 0.0.0.0", then what ip address do I have MySQL bind to? 3) Third - when I had Snort/BASE running last week (when it would only report alerts on one sensor), I noticed that the amount of data shown in BASE for each alert was kind of skimpy compared to the way it was when I had it set up in the past. So that leads me to output questions: Should I use "output database: log...." or "output database: alert" if I want to maximize what is captured by Snort/MySQL. And in Barnyard2.conf should I use "output alert_fast" or "output alert_full"? I have looked for the answers to all of these questions - I get conflicting info on them. One more thing - If I can ever get this set up successfully, I am going to write a config guide and submit it to Snort.org - I have looked thru all of the guides that are currently posted there, and not one of them mentions half of the things that you all have told me on this thread. Take care and thanks again for your help. Mike On Sat, Oct 8, 2011 at 8:56 AM, Kevin Ross <kevross33 () googlemail com>wrote:Yes. You just need to configure the database user to be snort@REMOTESENSOR IP. Setup mysql to bind to the IP address, point barnyard on the remote sensor to log to the remote datababase and then allow access through firewall. i.e LOCAL: mysql configuration file: bind-address=LOCAL_IP iptables -I INPUT 1 -s REMOTE_SENSOR -p tcp --destination-port 3306 -j ACCEPT mysql -u root -p grant ALL PRIVILEGES on snort.* to snort@REMOTE_IP with GRANT option; SET PASSWORD FOR snort@REMOTE IP=PASSWORD(‘test’); REMOTE: Make sure to write snort Unified 2. Snort opening a database itself rather than just writing to unified2 slows snort down significantly as it cannot watch the network while doing this; over network will be even slower. Barnyard2.conf: output database: log, mssql, dbname=snort user=snort password=test host=REMOTE SENSOR IP restart barnyard Also in barnyard2.conf set the localhost name to be something meaningful to that sensor so when you look at snort say with BASE you can narrow down with sensor and also see what sensor is actually generating alert: i.e Internet_Sensor Server_Room1 Server_Room2 Remote_Site1 And so on. Otherwise you will have difficulty telling which sensors are actually generating the alerts. Also use emergingthreats.net signatures for more insight into malware and current events. http://www.emergingthreats.net/index.php?option=com_content&view=frontpage&Itemid=1 You can see rule updates for ET (Free) and ETPRO (paid) here: http://blog.emergingthreatspro.com/ Regards, Kev On 8 October 2011 02:19, Mike Boeckeler <boeckelr () gmail com> wrote:Hi everyone, I wanted to thank all of you for giving such detailed responses. I am going to try to tackle this again tonite and this weekend. I posted my original message at the bottom of this in case you forgot the issues involved...after reading thru all of your responses I have another question or two: OK, so I will set up two instances of Snort, Barnyard2, 2 unique unified2 files etc.....but what about MySQL? Will the single MySQL database work with this setup? Or will I need to create a unique database for each sensor....and then a unique install of BASE for each sensor? Thanks again! Mike BTW I don't know where I got the -E command line option from. On Tue, Sep 27, 2011 at 4:27 PM, Lay, James <james.lay () wincofoods com>wrote:<snip> /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth1 & /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth2 & /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \ -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \ -C /etc/snort/classification.config <snip> Mike, Just like folks are saying, you'll need two separate instances of both snort AND barnyard2 (I thought the same thing when I first started with barnyard...thought "I can run it once and it will read all my u2 files from all my running snort instances"...wrong ;)). I would copy snort.conf to snort1.conf and snort2.conf, and barnyard2.conf to barnyard21.conf and barnyard22.conf, then change where they log at least where the u2 files are kept for snort, and change to reflect the interface in both barnyard files. Change in your barnyard2 conf files: Barnyard21: config interface: eth1 Barnyard22: config interface: eth2 And in your snort conf files: Snort1.conf: output unified2: filename /var/log/snort1/snort1.u2 Snort2.conf: output unified2: filename /var/log/snort2/snort2.u2 Then run like so: /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort1.conf -i eth1 & /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort2.conf -i eth2 & /usr/local/bin/barnyard2 -c /etc/snort/barnyard21.conf -d /var/log/snort/snort1 -f snort1.us -w /etc/snort/snort1.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config /usr/local/bin/barnyard2 -c /etc/snort/barnyard22.conf -d /var/log/snort/snort2 -f snort2.us -w /etc/snort/snort2.waldo -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -C /etc/snort/classification.config I've found separating out the .u2 files in different directories to be cleaner (although I have all instances logging to a single all.fast file for easy monitoring). You can change the names to whatever...I've found naming the interfaces (internal/external) and integrating it into the conf name works well too (intbyard2.conf, intsnort.conf). Hope that helps. James ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------------------- Original Message: On Tue, Sep 27, 2011 at 3:53 PM, Mike Boeckeler <boeckelr () gmail com> wrote:Hi everyone, A few days ago I posted a message about how no matter what I tried, I could not get my setup running. Needless to say my frustration level was off of the charts. Anyway I seem to have crossed most of the hurdles and have gotten almost everything working. I am running Ubuntu 10.04, Snort 2.9.1, Snortrules-snapshot-2910, BASE and Barnyard 2. I have 3 interfaces - eth0 goes to the Internet for updates etc.....eth1 is a sensor and it is located on a hub between my dsl modem and router. eth2 is also a sensor, and it is located on a SPAN port, monitoring traffic inside of my ASA. BTW I used the Snort/Debian install guide posted on Snort.org for most of this install. If I start up first Snort and then Barnyard2 like you see below, everything runs, but BASE only reports alerts on eth2 (inside my network). Also, it only reports that there is 1 interface. /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth1 & /usr/local/bin/snort -E -u snort -g snort -c /etc/snort/snort.conf -i eth2 & /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf \ -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo \ -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map \ -C /etc/snort/classification.config Now I know that traffic is getting thru by using Wireshark and tcpdump to watch eth1 and eth2 as I try to trigger alerts with nmap. In fact, if I forget about BASE, Barnyard and Mysql, and run snort like this: "snort -i eth1" in one terminal, and "snort -i eth2" in another terminal, both get the alerts that they should. So the problem must be in Mysql, Barnyard2, etc. I have tried using two different snort.confs - one for the command that starts the eth1 instance; and the other for the command that starts the eth2 instance, but to no avail. Does anybody have any ideas that might help? I have emailed Joel off-list and he provided some good insights on particular issues, but I still need help with the aforementioned problems. I greatly appreciate any help that you guys can provide. Thanks!Mike ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Problem with using 2 sensors Mike Boeckeler (Oct 07)
- Re: Problem with using 2 sensors James Lay (Oct 07)
- Re: Problem with using 2 sensors Kevin Ross (Oct 08)
- Re: Problem with using 2 sensors Mike Boeckeler (Oct 08)
- Re: Problem with using 2 sensors James Lay (Oct 08)
- Re: Problem with using 2 sensors Joel Esler (Oct 08)
- Re: Problem with using 2 sensors Kevin Ross (Oct 08)
- Re: Problem with using 2 sensors Mike Boeckeler (Oct 08)