Snort mailing list archives
Re: Snorby Snort or Barnyard scrambles IPs
From: Ilja Schumacher <ilja.schumacher () gmail com>
Date: Tue, 1 Apr 2014 10:12:15 +0200
Hi guys, Barnyard2 actually reads everything fine from the u2 logs. All parts of the alarms are shown correctly in DB and snortby except the IPHDR.source and IPHDR.destinations columns. I have run search functions over the whole system. No u2spewfoo found anywhere. So I guess the snort-Debian-Wheezy-ARMEL package does indeed not have it. Until now I could not see any barnyard traffic over the eth or lo interface because i had it configured to use "localhost" causing it to use the socket instead of lo interface. Changed to 127.0.0.1. Now I see the mysql statements barnyard2 inserting in clear text as you said. Result: Barnyard2 is inserting wrong values like 3232255270 = *192.168.77.38* While u2 logs (i can only read them in HEX which is still ok) show the correct adresses. So the current status is: Snort => snort.u2.log = correct snort.u2.log => Barnyard2 => DB = 3rd and 4th bytes of IPHDR.source and IPHDR.destination are swiched and padded with rubbish for some reason. I will bring up the issue in the mailinglist of barnyard-users (thanks for the link) and report back. @Alex: Already checked that. Obfuscate IPs is disabled on my system atm. Cheers and Thanks Ilja 2014-03-31 18:01 GMT+02:00 Jeremy Hoel <jthoel () gmail com>: So the u2 tools are part of the snort package and should be even on debian.
"u2spewfoo" lets you look at the u2 files, dumps what they contain in a readable format. So it from your notes it seems BY2 isn't readying the U2 right, or not sending it to mysql correctly. BY2 should send the communication to the DB over plain text (according your config) so should see the bad IP going over the wire when it reads the u2 file. Elz (beenph) is one of the authors of BY2 and there is a mailing list for support and since I'm not a coder he might have some better ideas. https://groups.google.com/forum/#!forum/barnyard2-users looking at past archives I don't see any threads related to running BY2 on arm, so I don't know that it has or has not already been looked at. It is odd that it gets part of the IP, but not all of it. On Mon, Mar 31, 2014 at 4:05 AM, Ilja Schumacher < ilja.schumacher () gmail com> wrote:Hi Jeremy, thanks for your reply: MYSQL: Example Event in Database sid 1 cid 1: ipsrc is: 3232246349 = 11000000101010000010101001001101 = 192.168.42.77 Which is totaly wrong already because my test network is on 192.168.1.0/24 So Snorby is not the villian here. BARNYARD-ALERTS-LOG Barnyard2 alerts log also reports wrong ips. Example Alert: ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 218.77.8.206:34958 -> 192.168.79.34:80 The Destination IP is clearly not addressable in my lab network. SNORT U2-LOG: As i have the debian package installed and it has no u2 log converter bundled i used a hex editor: I have alerts in snorby that are 100% directed towards my testlab asterisk on 192.168.1.4 Which would be HEX C0:A8:01:04. The u2 log clearly shows several accurances of this value matching the count of the events corresponding to 192.168.1.4 in snorby. So there is something wrong in barnyard2 because the u2 log is correct but it somehow writes wrong values into the database. The barnyard2 config is completely stock except for the following line: output database: log, mysql, user=someuser password=somepassword dbname=snorby host=localhost The snort config has: output unified2: filename snort.log, limit 128 Barnyard2 is started this way: barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /etc/snort/bylog.waldo All other files needed like gen-msg.map sid-msg.map and classifications etc. are in the default locations or defined in snort.conf. Thanks again for your help. Cheers Ilja 2014-03-31 9:07 GMT+02:00 Jeremy Hoel <jthoel () gmail com>: Start with the beginning.. does TCP dump always show the right IP, thendoes the u2 files show the right IPs (and in syslog if you have that output)? sniff the traffic and see if BY2 is sending the right IP and then check the db and ensure that it's being stored as the right IP. I'm thinking it might have something to do with how the DB is storing the IP, but that's just a guess. if you go through each of these spots it might help narrow down the problem, and maybe in the end it's a snorby issue and you can bring it up on that mailing list.. but it's a good idea to check the other bits first. On Mon, Mar 31, 2014 at 2:57 AM, Ilja Schumacher < ilja.schumacher () gmail com> wrote:Hey fellows, I have just finished setting up snort barnyard mysql pulledpork and snorby in an ARM5 box. Everything works very nice except that snorby shows totally scrambled IPS for source and destination. Example: Real source 82.56.35.23 Real destination 192.168.1.13 Snorby shows: Source 82.56.XX1.13 Destination 192.168.X35.23 X is 1 most of the time. Setup is: Internet. Firewall/NAT. LanportMirror. Snort. Do you have a clue what may cause such strange behaviour? Cheers Ilja ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snorby Snort or Barnyard scrambles IPs Alex Aune (Apr 01)
- <Possible follow-ups>
- Re: Snorby Snort or Barnyard scrambles IPs Ilja Schumacher (Apr 01)
- Re: Snorby Snort or Barnyard scrambles IPs beenph (Apr 01)