Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Barnyard2 not inputting portscans (was Unified Logging - BASE - Portscans)

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 27 Jul 2011 06:50:30 -0600
Just confirmed.....with going direct to mysql from snort with no barnyard,
I TOTALLY not only get a portscan entry, but also an "Open port: ****"
entry: 

(portscan) TCP Portscan: 21:49157
(portscan) Open Port: 53


But now I see I even see yon "Portscan Traffic (< 1%) on the BASE
mainscreen.  Nice sleuthing job Michael!  I'll be sticking with direct to
db from snort until this is fixed.

James

On 7/27/11 6:30 AM, "James Lay" <jlay () slave-tothe-box net> wrote:


Interesting....and guess what...barnyard2 doesn't seem to log portscan
data:

Jul 26 20:34:39 gateway snort[4555]: [122:17:0] (portscan) UDP Portscan
[Priority: 3] {PROTO:255} 205.171.2.25 -> my.ext.ip

A search for 205.171.2.25 came up empty....I think we have our issue.
Time to talk to firnsy mabye?

On 7/27/11 5:48 AM, "Michael Steele" <michaels () winsnort com> wrote:


James,

Out of curiosity I matched the same two alerts in each BASE console.
Unified
logging seems not to be inserting data into the database like it does
with
the output database.

This could be a direct result of the script I'm using as it's still in
development.

Picture of alert from Unified2 logging:
http://www.winsnort.com/data/unified.gif

Picture of alert from Output Database logging:
http://www.winsnort.com/data/output.gif

Kindest regards,
Michael...

-----Original Message-----
From: Michael Steele [mailto:michaels () winsnort com]
Sent: Tuesday, July 26, 2011 11:38 PM
To: 'James Lay'; 'Snort'
Subject: Re: [Snort-users] Unified Logging - BASE - Portscans

Here is an example of the same alert pulled from each portscan.log file.

Output Database portscan.log entry:
--------------------\
Time: 07/26-23:08:45.356955
event_id: 1797
10.0.0.3 -> 120.28.64.74 (portscan) TCP Portsweep Priority Count: 5
Connection Count: 12 IP Count: 10 Scanned IP Range:
99.154.244.83:180.149.12.86 Port/Proto Count: 10 Port/Proto Range:
12293:59346 --------------------/

Using Unified2 portscan.log entry:
--------------------\
Time: 07/26-23:08:45.371463
event_id: 1802
10.0.0.3 -> 120.28.64.74 (portscan) TCP Portsweep Priority Count: 5
Connection Count: 12 IP Count: 10 Scanned IP Range:
99.154.244.83:180.149.12.86 Port/Proto Count: 10 Port/Proto Range:
12293:59346 --------------------/

The portscan.log files look almost identical except for the 'Time:' and
'event id:' tags. It's really strange that one is processing and the
other
is not.

Hopefully someone that understands how BASE processes the portscans will
chime in here and make some sense of this?

Kindest regards,
Michael...

-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: Tuesday, July 26, 2011 10:26 PM
To: Michael Steele; Snort
Subject: Re: [Snort-users] Unified Logging - BASE - Portscans

Extremely curious!  Can you:  diff the two portscan files to see if they
are
different?  That's all I got...unless BASE reads portscan data from the
db,
and snort puts in data into the db differently then barnyard2, then I am
TOTALLY at a loss..wild!

Thanks for keeping on this.

James

On 7/26/11 8:21 PM, "Michael Steele" <michaels () winsnort com> wrote:


James,

Ok, I restarted two completely separate instances, and they are running
simultaneously:

VM1: Snort / MySQL / BASE / Unified Logging
VM2: Snort / MySQL / BASE / Output Database Logging

I am now receiving portscans into the portscan.log file on each VM.

VM2 is the only instance that displays the portscans in the BASE
console.

VM1 is configured with Unified2 logging and is receiving portscans into
the portscan.log file but BASE is not processing them.

I'm guessing someone needs to jump in here that has some knowledge of
how BASE processes the portscans in order to find out why portscans are
being logged into the portscan.log file, but not processed when
Unified2 logging is used.

Kindest regards,
Michael...


-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: Monday, July 25, 2011 10:28 PM
To: Michael Steele; Snort
Subject: Re: [Snort-users] Unified Logging - BASE - Portscans

Done and done...nmaped from another netblock I control...sanitized
output.

Time: 07/25-20:25:10.421362
event_id: 1
netblock -> external.ip (portscan) TCP Portscan Priority Count: 5
Connection
Count: 59 IP Count: 1 Scanner IP Range: netblock ip range Port/Proto
Count:
62 Port/Proto Range: 21:55600


My output lines in snort.conf:

output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast:
snortalert.fast output log_tcpdump: snort.pcap output unified2:
filename snortalert.unified

Base still doesn't seem to be able to read it though, which is kind of
a drag (even after changing perms to 0644).


James



On 7/25/11 4:45 PM, "Michael Steele" <michaels () winsnort com> wrote:


James,

My portscan.log is 0 bytes. If I turn unified logging off, and turn
the output database plugin on, the portscan.log file will populated
with portscan alerts.

This is strange, so you have unified logging turned on and you are
receiving data into the portscan.log file? Can you verify that it's
really working by stopping the snort service deleting the file and
restarting the snort service to see if alerts will continue to
populate the portscan .log file?

Kindest regards,
Michael...

-----Original Message-----
From: Lay, James [mailto:james.lay () wincofoods com]
Sent: Monday, July 25, 2011 6:00 PM
To: Michael Steele; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Unified Logging - BASE - Portscans

Hi Michael,

Now that's odd...my sfportscan line:

preprocessor sfportscan: proto  { all } memcap { 10000000 }
sense_level { low } logfile { portscan.log }

And a tail of my portscan.log:

Time: 07/25-06:37:31.148528
event_id: 750
92.126.55.42 -> external.ip (portscan) UDP Portscan Priority Count: 45
Connection Count: 86 IP Count: 5 Scanner IP Range:
74.50.52.136:92.126.55.42
Port/Proto Count: 5 Port/Proto Range: 6881:44898


I'm betting this is a different format from 2009's sfportscan?  I
dunno :(

James


-----Original Message-----
From: Michael Steele [mailto:michaels () winsnort com]
Sent: Monday, July 25, 2011 3:23 PM
To: Lay, James; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Unified Logging - BASE - Portscans

James,

Thanks for taking a look. I know there a LOT of users on all
platforms

still

using BASE as their console. I was talking to Jason and he tells me

that

when unified2 logging is used, all alerts go into the unified log

file, and

I'm assuming that includes portscans.

Seems someone would have came up with a solution to view portscans
in

the

BASE console using unified logging.

The below is used in order for BASE to grab the portscans, at least
it worked with 'output database':
preprocessor sfportscan: proto { all } memcap { 10000000 }
sense_level

{ low

} logfile { portscan.log }

When the above ' preprocessor sfportscan:' is used with unified

logging all

it does is create the portscan.log file and never injects portscans

into the

log file.

I'm not even real sure if the ' preprocessor sfportscan:' is even

needed

using unified logging method, and I'm not real sure how to turn

portscans on

wnen using unified2 logging:
preprocessor sfportscan: proto { all } memcap { 10000000 }
sense_level

{ low

}

And will the above log portscans to the unified log file?

Kindest regards,
Michael...


-----Original Message-----
From: Lay, James [mailto:james.lay () wincofoods com]
Sent: Monday, July 25, 2011 3:29 PM
To: Michael Steele; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Unified Logging - BASE - Portscans


-----Original Message-----
From: Michael Steele [mailto:michaels () winsnort com]
Sent: Friday, July 22, 2011 9:13 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Unified Logging - BASE - Portscans

I noticed that moving from output database to unified logging that

portscans

are no longer displayed in the BASE console.

Is there a solution to get this feature back to working in BASE?

Kindest regards,
Michael...


Michael, FWIW I tried in vain to get this to fly at home...I have
the portscan.log file being created as well as pointing to the right
spot

in

base_conf.php, but nothing shows up.  I suspect it's a difference in

the

file format from the time BASE was made.  I'm sure an enterprising

soul

could make the mods to the php files, but that wouldn't be me ;) For

now I

do without portscan info...BASE gives me what I need without.

James



----------------------------------------------------------------------
-
-
----

--
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property

that has

been used successfully in hundreds of IBM storage optimization
engage- ments, worldwide.  Store less, Store more with what you own,
Move data

to

the right place. Try It Now!
http://www.accelacomm.com/jaw/sfnl/114/51427378/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation






----------------------------------------------------------------------
-
---
----
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property
that has been used successfully in hundreds of IBM storage
optimization
engage- ments, worldwide.  Store less, Store more with what you own,
Move data to the right place. Try It Now!
http://www.accelacomm.com/jaw/sfnl/114/51427378/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation




-----------------------------------------------------------------------
---
--
--
Magic Quadrant for Content-Aware Data Loss Prevention Research study
explores the data loss prevention market. Includes in-depth analysis on
the changes within the DLP market, and the criteria used to evaluate
the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation





-------------------------------------------------------------------------
-
--
--
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation



-------------------------------------------------------------------------
-
--
--
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation



-------------------------------------------------------------------------
-
----
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation




--------------------------------------------------------------------------
----
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation




------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation
Previous By Date Next
Previous By Thread Next

Current thread: