RE: Port scans not showing up in ACID.

["John Creegan" <jcreegan () questarweb com>]

Now THERE'S a question I never asked.  Since I'm running snort on a Sun
SPARC on Solaris 8, I never upgraded from 2.0.4 to 2.1 because there
were users reporting problems building it on Solaris.

That's recently changed so I plan to upgrade to 2.1, but I'm still
running 2.0.4.  Hmmm... this *could* be a little embarrassing...

When you restarted, did you add the "-z" arg?  You'll need it for this
to work (at least for 2.0.4).

> > > "Peters, Michael D." <Michael.Peters () acbl net> 02/05/04 12:28PM
Where did you find the information about these changes? I remember
from
versions prior to 2.1 where these would work but I thought they had
been
removed. I don't see anything in the snort.conf about it either?

I put these changes in and everything started up properly. I'm waiting
to
see if I get things displayed properly now.

Best regards,

Michael D. Peters 



-----Original Message-----
From: John Creegan [mailto:jcreegan () questarweb com] 
Sent: Thursday, February 05, 2004 11:02 AM
To: Peters, Michael D.
Subject: RE: [Snort-users] Port scans not showing up in ACID.


I recommend the edits shown below:
Comment out the portscan line.
Add a line for the conversation preprocessor.  You may want to alter
the options to suit your needs.
Add in a portscan2 line.  Portscan2 is newer than portscan.  Again,
You
may want to alter the options to suit your needs.

I indicated new additions with "----->".  Of course, you'll need to
remove that indicator.

> > > "Peters, Michael D." <Michael.Peters () acbl net> 02/05/04 09:46AM
This is what my snort.conf looks like.


var HOME_NET 172.16.0.0/16
var EXTERNAL_NET any
var DNS_SERVERS [172.16.0.55/32,172.16.0.56/32]
var SMTP_SERVERS 172.16.0.140
var HTTP_SERVERS 172.16.0.140
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var HTTP_PORTS 3852
var HTTP_PORTS 443
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/2
4,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH ../rules
preprocessor flow: stats_interval 60 hash 1
#preprocessor portscan: 172.16.0.0/16 5 4
/var/snort/portscan/lan.portscan
preprocessor frag2
preprocessor stream4: keepstats, detect_scans, detect_state_problems,
disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server 172.16.0.140 profile apache
ports {
80 443 }
preprocessor http_inspect_server: server 172.16.0.8 profile apache
ports {
80 443 3852 }
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: \
        talker-sliding-scale-factor 0.50 \
        talker-fixed-threshold 30 \
        talker-sliding-threshold 30 \
        talker-sliding-window 20 \
        talker-fixed-window 30 \
        scoreboard-rows-talker 30000 \
        server-watchnet [172.16.0.0/16] \
        server-ignore-limit 500 \
        server-rows 65535 \
        server-learning-time 14400 \
        server-scanner-limit 500 \
        scanner-sliding-window 20 \
        scanner-sliding-scale-factor 0.50 \
        scanner-fixed-threshold 15 \
        scanner-sliding-threshold 40 \
        scanner-fixed-window 15 \
        scoreboard-rows-scanner 30000 \
        src-ignore-net [10.0.0.0/30] \
        dst-ignore-net [10.0.0.0/30] \
        alert-mode all \
        output-mode pktkludge \
        tcp-penalties on
preprocessor arpspoof
preprocessor arpspoof_detect_host: 172.16.0.55 00:a0:c9:56:d6:9b
preprocessor arpspoof_detect_host: 172.16.0.56 00:60:94:e5:57:23
-----> preprocessor conversation: allowed_ip_protocols all, timeout
60,
max_conversations 3000, alert_odd_protocols
-----> preprocessor portscan2: scanners_max 10000, targets_max 1024,
target_limit 5, port_limit 20, timeout 60
preprocessor perfmonitor: time 60 flow events file
/var/snort/performance/snort.stats pktcnt 10000
output alert_syslog: LOG_AUTH LOG_ALERT
output database: alert, mysql, user=<username> password=<password>
dbname=snort host=localhost sensor_name=LAN detail=full
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules 
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include threshold.conf



Best regards,

Michael D. Peters 
Senior Network Security Engineer



-----Original Message-----
From: John Creegan [mailto:jcreegan () questarweb com] 
Sent: Thursday, February 05, 2004 9:57 AM
To: Peters, Michael D.
Subject: RE: [Snort-users] Port scans not showing up in ACID.


First, are you using a snort configuration file?  If so, you will need
to make certain that "conversation", "portscan2" (without ignorehosts
for now), and stream4 preprocessor with the detect_scans option.

Stop snort.  Restart snort, adding the "-z" option.

Wait a few minutes, check ACID, and see what happens.  You won't see
anything displayed on the percentage bar until at least 1% of the
total
traffic are portscans, but you should begin to see some
"spp_portscan2:
Portscan detected!" alerts pretty quickly.

Once you are seeing these alerts it's time tomake some decisions about
which hosts, if any, you want to ignore.

> > > "Peters, Michael D." <Michael.Peters () acbl net> 02/05/04 08:21AM
That would be fantastic! What do you want me to do?

Best regards,

Michael D. Peters 
r



-----Original Message-----
From: John Creegan [mailto:jcreegan () questarweb com] 
Sent: Thursday, February 05, 2004 9:08 AM
To: snort-users () lists sourceforge net 
Subject: RE: [Snort-users] Port scans not showing up in ACID.


It's not ACID.  I'm seeing them here.  I'd be happy to go over the
differences in our configurations if you like.

> > > "Michael Steele" <michaels () winsnort com> 02/04/04 06:59PM >>>
I believe it to be problem with ACID. I wish it was being actively
developed. It seems the programmer has been absent for some time, but
I
think he is still around, just busy doing other projects. It's free so
we
can't expect too much :)

Maybe someone else could patch it?

Kindest regards, 

The WINSNORT.com Management Team
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support () winsnort com 
Website: http://www.winsnort.com 
Snort: Open Source Network IDS - http://www.snort.org 



> -----Original Message-----
> From: snort-users-admin () lists sourceforge net [mailto:snort-users-
> admin () lists sourceforge net] On Behalf Of Peters, Michael D.
> Sent: Wednesday, February 04, 2004 7:19 AM
> To: Snort-Users@Lists. Sourceforge. Net (E-mail)
> Subject: [Snort-users] Port scans not showing up in ACID.
>
> I have portscan traffic identified in my logs but I don't have it
> registered
> in the ACID %meter on the home page. I'm working with the current
snort
> 2.1.0 snapshot. Is there some threshold parameter of some
configuration
> that
> will help display this portscan activity?
>
> Best regards,
>
> Michael D. Peters
>
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn 
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 





-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users 


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users 
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users 


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users