Snort mailing list archives

Previous By Date Next
Previous By Thread Next

IDS problems -> part two (unresolved)

From: Jasmine CHUA <Jasmine.Chua () internationalsos com>
Date: Thu, 22 Apr 2004 17:55:17 +0800
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



-----Original Message-----
From: Guillaume Arcas [mailto:guillaume.arcas () free fr]
Sent: Thursday, April 22, 2004 15:59
To: Jasmine CHUA
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] ids problems


If you want flow-portscans alerts to be logged in your database, you have
to adjust the settings of your database output plugin (in snort.conf).

Here's a usefull link about how snort distinguishes - and uses - log and
alert facilities :
http://www.theadamsfamily.net/~erek/snort/logging_methods.txt



-- 
Guillaume Arcas

--------------------------------------------------
Il faut nous quitter. Nous sommes deux enfants,
nous avons fait une folie. (Yvonne de Galais)


Mmm.. But I am using barnyard instead to log into database and dont want to
'overload' snort. I have configured snort to output to syslog as well as
unified log file format. I am not using any of the database plugins for
snort. 

To make things clearer, what I meant is that I already have a couple of
flow-portscan packets in my database as well as showing up on ACID:

Generated by ACID v0.9.6b23 on Thu, 22 Apr 2004 00:44:28 +0000

-
----------------------------------------------------------------------------
--
#(2 - 1) [2004-04-16 03:11:58] [snort/3]  flow-portscan: Fixed Scale Talker
Limit Exceeded
IPv4: 202.157.139.69 -> xx.xx.xx.xx
      hlen=5 TOS=16 dlen=511 ID=0 flags=0 offset=0 TTL=0 chksum=0
Payload:  length = 491

000 : 41 64 64 72 65 73 73 3A 20 32 30 32 2E 31 35 37   Address: 202.157
010 : 2E 31 33 39 2E 36 39 0A 41 54 5F 53 43 4F 52 45   .139.69.AT_SCORE
020 : 3A 20 31 36 0A 53 54 5F 53 43 4F 52 45 3A 20 31   : 16.ST_SCORE: 1
- -----< SNIP >--------------------

However, the problem is that I noticed after restarting snort + barnyard,
only the very 1st flow-portscan alert gets logged into database and on ACID
like the above sample packet. But not the rest of the flow-portscan alerts. 

And, if I restart just barnyard alone, I dontsee any of the flow-portscan
alerts getting logged into database and on ACID at all.  

This is my earlier thread in case anyone misses it:

Problem 1)

Flow-Portscan works but not quite well for me. On Acid I only see the very
first portscan alert and thereafter, I don't get to see the next and the
next portscan alert on Acid. Its really weird. Right now, I can only see all
the portscan alerts in syslog. 

Here's my snort.conf:

preprocessor flow: stats_interval 0 hash 2
preprocessor flow-portscan: unique-memcap 5000000 unique-rows 50000
tcp-penalties on server-scanner-limit 4 server-watchnet $HOME_NET alert-mode
once output-mode pktkludge

Problem 2)

On ACID
ICMP traffic - I get to see the full payload 
TCP traffic - I don't get to see the full payload. Its still complaining of
fast logging mode. 

Each Snort Config file has its output configured as:
output alert_syslog: LOG_DAEMON LOG_ALERT
output log_unified: filename snort.log, limit 128

Each Barnyard Config:
processor dp_log
processor dp_stream_stat
output log_acid_db: mysql, sensor_id 1, database snort, server localhost,
user xxxx, password xxxx, detail full

How I run Snort:

/usr/bin/snort -D -U -o -I -c /etc/snort/snort.conf -i eth1 -u snort -g
snort -l /var/log/snort/ -F /etc/snort/filter.bpf
/usr/bin/snort -D -U -o -I -c /etc/snort/snorttwo.conf -i eth2 -u snort -g
snort -l /var/log/snort_eth2/ -F /etc/snort/filter.bpf

How I run Barnyard:

/usr/bin/barnyard -c /etc/snort/barnyard.conf -d /var/log/snort/ -g
/etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -w
/var/log/snort/barnyard.waldo -L /var/log/snort/ -a /var/log/snort/archive/
- -f snort.log -X /var/run/barnyard.pid
/usr/bin/barnyard -c /etc/snort/barnyardtwo.conf -d /var/log/snort_eth2/ -g
/etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -w
/var/log/snort_eth2/barnyard.waldo -L /var/log/snort_eth2/ -a
/var/log/snort_eth2/archive/ -f snort.log -X /var/run/barnyard2.pid

I have two snort and two barnyard instances running on the same box,
sniffing two interfaces, with separate configuration files. 

Many Thanks,
Jasmine  
 
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBQIeWhP4wcdIw6CVjEQLCRACcCNXSL/Lw+M2YoeiKSOem6fktzDUAoNoH
H1wTBsODzjHGEZxdcCbC0sSK
=Noeq
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: