Snort mailing list archives
IDS problems -> part two (unresolved)
From: Jasmine CHUA <Jasmine.Chua () internationalsos com>
Date: Thu, 22 Apr 2004 17:55:17 +0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Guillaume Arcas [mailto:guillaume.arcas () free fr] Sent: Thursday, April 22, 2004 15:59 To: Jasmine CHUA Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] ids problems If you want flow-portscans alerts to be logged in your database, you have to adjust the settings of your database output plugin (in snort.conf). Here's a usefull link about how snort distinguishes - and uses - log and alert facilities : http://www.theadamsfamily.net/~erek/snort/logging_methods.txt -- Guillaume Arcas -------------------------------------------------- Il faut nous quitter. Nous sommes deux enfants, nous avons fait une folie. (Yvonne de Galais)
Mmm.. But I am using barnyard instead to log into database and dont want to 'overload' snort. I have configured snort to output to syslog as well as unified log file format. I am not using any of the database plugins for snort. To make things clearer, what I meant is that I already have a couple of flow-portscan packets in my database as well as showing up on ACID: Generated by ACID v0.9.6b23 on Thu, 22 Apr 2004 00:44:28 +0000 - ---------------------------------------------------------------------------- -- #(2 - 1) [2004-04-16 03:11:58] [snort/3] flow-portscan: Fixed Scale Talker Limit Exceeded IPv4: 202.157.139.69 -> xx.xx.xx.xx hlen=5 TOS=16 dlen=511 ID=0 flags=0 offset=0 TTL=0 chksum=0 Payload: length = 491 000 : 41 64 64 72 65 73 73 3A 20 32 30 32 2E 31 35 37 Address: 202.157 010 : 2E 31 33 39 2E 36 39 0A 41 54 5F 53 43 4F 52 45 .139.69.AT_SCORE 020 : 3A 20 31 36 0A 53 54 5F 53 43 4F 52 45 3A 20 31 : 16.ST_SCORE: 1 - -----< SNIP >-------------------- However, the problem is that I noticed after restarting snort + barnyard, only the very 1st flow-portscan alert gets logged into database and on ACID like the above sample packet. But not the rest of the flow-portscan alerts. And, if I restart just barnyard alone, I dontsee any of the flow-portscan alerts getting logged into database and on ACID at all. This is my earlier thread in case anyone misses it: Problem 1) Flow-Portscan works but not quite well for me. On Acid I only see the very first portscan alert and thereafter, I don't get to see the next and the next portscan alert on Acid. Its really weird. Right now, I can only see all the portscan alerts in syslog. Here's my snort.conf: preprocessor flow: stats_interval 0 hash 2 preprocessor flow-portscan: unique-memcap 5000000 unique-rows 50000 tcp-penalties on server-scanner-limit 4 server-watchnet $HOME_NET alert-mode once output-mode pktkludge Problem 2) On ACID ICMP traffic - I get to see the full payload TCP traffic - I don't get to see the full payload. Its still complaining of fast logging mode. Each Snort Config file has its output configured as: output alert_syslog: LOG_DAEMON LOG_ALERT output log_unified: filename snort.log, limit 128 Each Barnyard Config: processor dp_log processor dp_stream_stat output log_acid_db: mysql, sensor_id 1, database snort, server localhost, user xxxx, password xxxx, detail full How I run Snort: /usr/bin/snort -D -U -o -I -c /etc/snort/snort.conf -i eth1 -u snort -g snort -l /var/log/snort/ -F /etc/snort/filter.bpf /usr/bin/snort -D -U -o -I -c /etc/snort/snorttwo.conf -i eth2 -u snort -g snort -l /var/log/snort_eth2/ -F /etc/snort/filter.bpf How I run Barnyard: /usr/bin/barnyard -c /etc/snort/barnyard.conf -d /var/log/snort/ -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -w /var/log/snort/barnyard.waldo -L /var/log/snort/ -a /var/log/snort/archive/ - -f snort.log -X /var/run/barnyard.pid /usr/bin/barnyard -c /etc/snort/barnyardtwo.conf -d /var/log/snort_eth2/ -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -w /var/log/snort_eth2/barnyard.waldo -L /var/log/snort_eth2/ -a /var/log/snort_eth2/archive/ -f snort.log -X /var/run/barnyard2.pid I have two snort and two barnyard instances running on the same box, sniffing two interfaces, with separate configuration files. Many Thanks, Jasmine -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBQIeWhP4wcdIw6CVjEQLCRACcCNXSL/Lw+M2YoeiKSOem6fktzDUAoNoH H1wTBsODzjHGEZxdcCbC0sSK =Noeq -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS problems -> part two (unresolved) Jasmine CHUA (Apr 22)