Snort mailing list archives
BASE does not fill the BASE Homepage Portscan bar
From: <oalabeatrix () gmail com>
Date: Sun, 1 Dec 2013 19:03:29 +0100
Hi. I know this question has been asked several times on the Internet, but I couldn’t manage to solve it. After 2 weeks of working around with Snort, I really wish I could figure this out. I have two Snort Configs on Debian Wheezy. All packets updated from repository: SNORT-mysql --> MYSQL --> Apache --> Base SNORT –> Barnyard2 –> MYSQL –> Apache --> Base Network Topology ( The SNORT IDS is on a port Mirror ) : --(Router2)----------------------------------------- |-(Router1)----------------PC1 (SNORT IDS)-------------- \__________192.168.1.0/24______________/ \________192.168.0.0/24_________/ SNORT is Version 2.9.2.2 IPv6 GRE (Build 121) installed from apt-get repository Barnyard is Version 2.1.13 (Build 327) compiled from sources MYSQL and APACHE2 are latest version available from apt-get repository BASE is the latest available verion ( 1.4.5), downloaded and unzipped from sources. The same phenomenom happens for both SNORT configs: If I do a regular portscan of the 192.168.0.0/24 subnet ( nmap 192.168.0.0/24 ) by PC1, the BASE interface gets populated with alerts, the portscan.log file registers some portscans, and the portscan.log file is aknowledged by BASE if I query a single IP ( unique Destination IP --> choosing an IP --> Portscan ), but the PORTSCAN bar on the BASE homepage remains desesperatly EMPTY. I'm not sure how to troubleshoot this. Here are the most important parts of my snort.conf file ( the rest is left default and unchanged ) : # Compatible with Snort Versions: # VERSIONS : 2.9.2.2 ..... # Setup the network addresses you are protecting ipvar HOME_NET 192.168.1.0/24 ipvar EXTERNAL_NET !$HOME_NET ..... # Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5 preprocessor stream5_global: track_tcp yes, \ track_udp yes, \ track_icmp no, \ ..... # Portscan detection. For more information, see README.sfportscan preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { medium } logfile { /var/log/snort/portscan.log } ..... output alert_syslog: LOG_local0 LOG_ALERT output log_tcpdump: tcpdump.log output unified2: filename snort.log, limit 128 ..... # Note for Debian users: The rules preinstalled in the system # can be *very* out of date. For more information please read # the /usr/share/doc/snort-rules-default/README.Debian file # site specific rules include $RULE_PATH/local.rules ## Note : Following .rules commenting out left unchanged -------------------------------------------------------------- The /var/log/snort/portscan.log file gets populated like this : Time: 12/01-15:31:52.988044 event_ref: 0 192.168.0.100 -> 192.168.1.210 (portscan) TCP Portscan Priority Count: 13 Connection Count: 15 IP Count: 1 Scanner IP Range: 192.168.0.100:192.168.0.100 Port/Proto Count: 15 Port/Proto Range: 23:8080 Time: 12/01-15:31:54.883603 event_ref: 0 192.168.0.100 -> 192.168.1.240 (portscan) TCP Filtered Portscan Priority Count: 0 Connection Count: 200 IP Count: 1 Scanner IP Range: 192.168.0.100:192.168.0.100 Port/Proto Count: 199 Port/Proto Range: 21:65000 --------------------------------------------------------------------------------------------- The BASE displayed alerts are these : Displaying alerts 1-11 of 11 total < Signature > < Classification > < Total # > Sensor # < Source Address > < Dest. Address > < First > < Last > [snort] ICMP Timestamp Request misc-activity 11(0%) 1 1 1 2013-11-29 14:20:04 2013-11-29 14:45:29 [snort] SNMP AgentX/tcp request attempted-recon 22(1%) 1 1 2 2013-11-29 14:20:04 2013-11-29 17:36:16 [snort] SNMP request tcp attempted-recon 22(1%) 1 1 2 2013-11-29 14:20:04 2013-11-29 17:36:17 [snort] ICMP PING undefined code misc-activity 15(0%) 1 1 2 2013-11-29 14:20:15 2013-11-29 17:16:58 [snort] ICMP PING misc-activity 3548(95%) 1 1 2 2013-11-29 14:20:15 2013-11-30 10:37:33 [snort] SCAN nmap XMAS attempted-recon 27(1%) 1 1 2 2013-11-29 14:20:15 2013-11-29 17:16:58 [snort] ICMP PING NMAP attempted-recon 54(1%) 1 1 2 2013-11-29 14:20:42 2013-11-29 17:35:56 [snort] SNMP trap tcp attempted-recon 11(0%) 1 1 2 2013-11-29 14:20:44 2013-11-29 14:53:11 [snort] DDOS mstream client to handler attempted-dos 12(0%) 1 1 2 2013-11-29 14:20:48 2013-11-29 14:54:58 [snort] MISC Source Port 20 to <1024 bad-unknown 1(0%) 1 1 1 2013-11-29 14:21:49 2013-11-29 14:21:49 [snort] ICMP traceroute attempted-recon 1(0%) 1 1 1 2013-11-29 14:58:06 2013-11-29 14:58:06 ACTION ---------------------------------------------------------------------------------------------------------- Finally, If I reset the database, redo the scan, and dump the MySQL database. This do appear in the MySQL that was not there before the scan : Dumping data for table `signature` -- LOCK TABLES `signature` WRITE; /*!40000 ALTER TABLE `signature` DISABLE KEYS */; INSERT INTO `signature` VALUES (1,'dnp3: DNP3 Application-Layer Fragment uses a reserved function code.',0,0,1,6,145),(2,'dnp3: DNP3 Link-Layer Frame uses a reserved address.',0,0,1,5,145),(3,'dnp3: DNP3 Reassembly Buffer was cleared without reassembling a complete message.',0,0,1,4,145),(4,'dnp3: DNP3 Transport-Layer Segment was dropped during reassembly.',0,0,1,3,145), ..... ..... (176,'frag3: Fragment packet ends after defragmented packet',0,0,1,4,123),(177,'frag3: Short fragment, possible DoS attempt',0,0,1,3,123),(178,'frag3: Teardrop attack',0,0,1,2,123),(179,'frag3: IP Options on fragmented packet',0,0,1,1,123),(180,'portscan: Open Port',0,0,1,27,122),(181,'portscan: ICMP Filtered Sweep',0,0,1,26,122),(182,'portscan: ICMP Sweep',0,0,1,25,122),(183,'portscan: UDP Filtered Distributed Portscan',0,0,1,24,122),(184,'portscan: UDP Filtered Portsweep',0,0,1,23,122),(185,'portscan: UDP Filtered Decoy Portscan',0,0,1,22,122),(186,'portscan: UDP Filtered Portscan',0,0,1,21,122),(187,'portscan: UDP Distributed Portscan',0,0,1,20,122),(188,'portscan: UDP Portsweep',0,0,1,19,122),(189,'portscan: UDP Decoy Portscan',0,0,1,18,122),(190,'portscan: UDP Portscan',0,0,1,17,122),(191,'portscan: IP Filtered Distributed Protocol Scan',0,0,1,16,122),(192,'portscan: IP Filtered Protocol Sweep',0,0,1,15,122),(193,'portscan: IP Filtered Decoy Protocol Scan',0,0,1,14,122),(194,'portscan: IP Filtered Protocol Scan',0,0,1,13,122),(195,'portscan: IP Distributed Protocol Scan',0,0,1,12,122),(196,'portscan: IP Protocol Sweep',0,0,1,11,122),(197,'portscan: IP Decoy Protocol Scan',0,0,1,10,122),(198,'portscan: IP Protocol Scan',0,0,1,9,122),(199,'portscan: TCP Filtered Distributed Portscan',0,0,1,8,122),(200,'portscan: TCP Filtered Portsweep',0,0,1,7,122),(201,'portscan: TCP Filtered Decoy Portscan',0,0,1,6,122),(202,'portscan: TCP Filtered Portscan',0,0,1,5,122),(203,'portscan: TCP Distributed Portscan',0,0,1,4,122),(204,'portscan: TCP Portsweep',0,0,1,3,122),(205,'portscan: TCP Decoy Portscan',0,0,1,2,122),(206,'portscan: TCP Portscan',0,0,1,1,122),(207,'flow-portscan: Sliding Scale Talker Limit Exceeded',0,0,1,4,121),(208,'flow-portscan: Fixed Scale Talker Limit Exceeded',0,0,1,3,121),(209,'flow-portscan: Sliding Scale Scanner Limit Exceeded',0,0,1,2,121),(210,'flow-portscan: Fixed Scale Scanner Limit Exceeded',0,0,1,1,121),(211,'http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA',0,0,1,11,120) ..... ..... Does it mean that the Portscan does get detected by the sfportscan preprocessor and sent onto the MySQL database ? I did notice the the etc/snort/rules/portscan.rules have most rules not tagged with a portscan label, but rules and preprocessor are distinct things right ? Finally, what puzzles me is these parts of my snort -T output : Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/ Log directory = /var/log/snort WARNING: ip4 normalizations disabled because not inline. ...... ...... Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Medium Memcap (in bytes): 10000000 Number of Nodes: 19569 Logfile: /var/log/snort/portscan.log FTPTelnet Config: ..... ..... Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.15 <Build 18> Preprocessor Object: SF_DNP3 (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Build 3> Preprocessor Object: SF_POP (IPV6) Version 1.0 <Build 1> Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Build 4> Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 <Build 13> Preprocessor Object: SF_SDF (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_GTP (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_REPUTATION (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 <Build 3> Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 <Build 4> Preprocessor Object: SF_MODBUS (IPV6) Version 1.1 <Build 1> Preprocessor Object: SF_IMAP (IPV6) Version 1.0 <Build 1> Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9> Snort successfully validated the configuration! How comes the sfportmap is not listed in the beginning and closing parts ? I hope I'll manage to figure out how to have this 'Portscan' BAR able to fill-up with ruby red ^^ --- Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce que la protection avast! Antivirus est active. http://www.avast.com
------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- BASE does not fill the BASE Homepage Portscan bar oalabeatrix (Dec 03)