Snort mailing list archives
BASE does not fill the BASE Homepage Portscan bar
From: <oalabeatrix () gmail com>
Date: Sun, 1 Dec 2013 19:03:29 +0100
Hi. I know this question has been asked several times on the Internet, but I couldn’t manage to solve it. After 2 weeks
of working around with Snort, I really wish I could figure this out.
I have two Snort Configs on Debian Wheezy. All packets updated from repository:
SNORT-mysql --> MYSQL --> Apache --> Base
SNORT –> Barnyard2 –> MYSQL –> Apache --> Base
Network Topology ( The SNORT IDS is on a port Mirror ) :
--(Router2)-----------------------------------------
|-(Router1)----------------PC1
(SNORT IDS)--------------
\__________192.168.1.0/24______________/ \________192.168.0.0/24_________/
SNORT is Version 2.9.2.2 IPv6 GRE (Build 121) installed from apt-get repository
Barnyard is Version 2.1.13 (Build 327) compiled from sources
MYSQL and APACHE2 are latest version available from apt-get repository
BASE is the latest available verion ( 1.4.5), downloaded and unzipped from sources.
The same phenomenom happens for both SNORT configs: If I do a regular portscan of the 192.168.0.0/24 subnet ( nmap
192.168.0.0/24 ) by PC1, the BASE interface gets populated with alerts, the portscan.log file registers some portscans,
and the portscan.log file is aknowledged by BASE if I query a single IP ( unique Destination IP --> choosing an IP -->
Portscan ), but the PORTSCAN bar on the BASE homepage remains desesperatly EMPTY.
I'm not sure how to troubleshoot this. Here are the most important parts of my snort.conf file ( the rest is left
default and unchanged ) :
# Compatible with Snort Versions:
# VERSIONS : 2.9.2.2
.....
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
.....
# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no, \
.....
# Portscan detection. For more information, see README.sfportscan
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { medium } logfile {
/var/log/snort/portscan.log }
.....
output alert_syslog: LOG_local0 LOG_ALERT
output log_tcpdump: tcpdump.log
output unified2: filename snort.log, limit 128
.....
# Note for Debian users: The rules preinstalled in the system
# can be *very* out of date. For more information please read
# the /usr/share/doc/snort-rules-default/README.Debian file
# site specific rules
include $RULE_PATH/local.rules
## Note : Following .rules commenting out left unchanged
--------------------------------------------------------------
The /var/log/snort/portscan.log file gets populated like this :
Time: 12/01-15:31:52.988044
event_ref: 0
192.168.0.100 -> 192.168.1.210 (portscan) TCP Portscan
Priority Count: 13
Connection Count: 15
IP Count: 1
Scanner IP Range: 192.168.0.100:192.168.0.100
Port/Proto Count: 15
Port/Proto Range: 23:8080
Time: 12/01-15:31:54.883603
event_ref: 0
192.168.0.100 -> 192.168.1.240 (portscan) TCP Filtered Portscan
Priority Count: 0
Connection Count: 200
IP Count: 1
Scanner IP Range: 192.168.0.100:192.168.0.100
Port/Proto Count: 199
Port/Proto Range: 21:65000
---------------------------------------------------------------------------------------------
The BASE displayed alerts are these :
Displaying alerts 1-11 of 11 total
< Signature > < Classification > < Total # > Sensor # < Source Address > < Dest.
Address > < First > < Last >
[snort] ICMP Timestamp Request misc-activity 11(0%) 1 1 1 2013-11-29 14:20:04
2013-11-29 14:45:29
[snort] SNMP AgentX/tcp request attempted-recon 22(1%) 1 1 2 2013-11-29 14:20:04
2013-11-29 17:36:16
[snort] SNMP request tcp attempted-recon 22(1%) 1 1 2 2013-11-29 14:20:04
2013-11-29 17:36:17
[snort] ICMP PING undefined code misc-activity 15(0%) 1 1 2 2013-11-29 14:20:15
2013-11-29 17:16:58
[snort] ICMP PING misc-activity 3548(95%) 1 1 2 2013-11-29 14:20:15 2013-11-30
10:37:33
[snort] SCAN nmap XMAS attempted-recon 27(1%) 1 1 2 2013-11-29 14:20:15
2013-11-29 17:16:58
[snort] ICMP PING NMAP attempted-recon 54(1%) 1 1 2 2013-11-29 14:20:42
2013-11-29 17:35:56
[snort] SNMP trap tcp attempted-recon 11(0%) 1 1 2 2013-11-29 14:20:44 2013-11-29
14:53:11
[snort] DDOS mstream client to handler attempted-dos 12(0%) 1 1 2 2013-11-29 14:20:48
2013-11-29 14:54:58
[snort] MISC Source Port 20 to <1024 bad-unknown 1(0%) 1 1 1 2013-11-29 14:21:49
2013-11-29 14:21:49
[snort] ICMP traceroute attempted-recon 1(0%) 1 1 1 2013-11-29 14:58:06
2013-11-29 14:58:06
ACTION
----------------------------------------------------------------------------------------------------------
Finally, If I reset the database, redo the scan, and dump the MySQL database. This do appear in the MySQL that was not
there before the scan :
Dumping data for table `signature`
--
LOCK TABLES `signature` WRITE;
/*!40000 ALTER TABLE `signature` DISABLE KEYS */;
INSERT INTO `signature` VALUES (1,'dnp3: DNP3 Application-Layer Fragment uses a reserved function
code.',0,0,1,6,145),(2,'dnp3: DNP3 Link-Layer Frame uses a reserved address.',0,0,1,5,145),(3,'dnp3: DNP3 Reassembly
Buffer was cleared without reassembling a complete message.',0,0,1,4,145),(4,'dnp3: DNP3 Transport-Layer Segment was
dropped during reassembly.',0,0,1,3,145),
.....
.....
(176,'frag3: Fragment packet ends after defragmented packet',0,0,1,4,123),(177,'frag3: Short fragment, possible DoS
attempt',0,0,1,3,123),(178,'frag3: Teardrop attack',0,0,1,2,123),(179,'frag3: IP Options on fragmented
packet',0,0,1,1,123),(180,'portscan: Open Port',0,0,1,27,122),(181,'portscan: ICMP Filtered
Sweep',0,0,1,26,122),(182,'portscan: ICMP Sweep',0,0,1,25,122),(183,'portscan: UDP Filtered Distributed
Portscan',0,0,1,24,122),(184,'portscan: UDP Filtered Portsweep',0,0,1,23,122),(185,'portscan: UDP Filtered Decoy
Portscan',0,0,1,22,122),(186,'portscan: UDP Filtered Portscan',0,0,1,21,122),(187,'portscan: UDP Distributed
Portscan',0,0,1,20,122),(188,'portscan: UDP Portsweep',0,0,1,19,122),(189,'portscan: UDP Decoy
Portscan',0,0,1,18,122),(190,'portscan: UDP Portscan',0,0,1,17,122),(191,'portscan: IP Filtered Distributed Protocol
Scan',0,0,1,16,122),(192,'portscan: IP Filtered Protocol Sweep',0,0,1,15,122),(193,'portscan: IP Filtered Decoy
Protocol Scan',0,0,1,14,122),(194,'portscan: IP Filtered Protocol Scan',0,0,1,13,122),(195,'portscan: IP Distributed
Protocol Scan',0,0,1,12,122),(196,'portscan: IP Protocol Sweep',0,0,1,11,122),(197,'portscan: IP Decoy Protocol
Scan',0,0,1,10,122),(198,'portscan: IP Protocol Scan',0,0,1,9,122),(199,'portscan: TCP Filtered Distributed
Portscan',0,0,1,8,122),(200,'portscan: TCP Filtered Portsweep',0,0,1,7,122),(201,'portscan: TCP Filtered Decoy
Portscan',0,0,1,6,122),(202,'portscan: TCP Filtered Portscan',0,0,1,5,122),(203,'portscan: TCP Distributed
Portscan',0,0,1,4,122),(204,'portscan: TCP Portsweep',0,0,1,3,122),(205,'portscan: TCP Decoy
Portscan',0,0,1,2,122),(206,'portscan: TCP Portscan',0,0,1,1,122),(207,'flow-portscan: Sliding Scale Talker Limit
Exceeded',0,0,1,4,121),(208,'flow-portscan: Fixed Scale Talker Limit Exceeded',0,0,1,3,121),(209,'flow-portscan:
Sliding Scale Scanner Limit Exceeded',0,0,1,2,121),(210,'flow-portscan: Fixed Scale Scanner Limit
Exceeded',0,0,1,1,121),(211,'http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA',0,0,1,11,120)
.....
.....
Does it mean that the Portscan does get detected by the sfportscan preprocessor and sent onto the MySQL database ?
I did notice the the etc/snort/rules/portscan.rules have most rules not tagged with a portscan label, but rules and
preprocessor are distinct things right ?
Finally, what puzzles me is these parts of my snort -T output :
Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inline.
......
......
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Medium
Memcap (in bytes): 10000000
Number of Nodes: 19569
Logfile: /var/log/snort/portscan.log
FTPTelnet Config:
.....
.....
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.15 <Build 18>
Preprocessor Object: SF_DNP3 (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Build 3>
Preprocessor Object: SF_POP (IPV6) Version 1.0 <Build 1>
Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Build 4>
Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 <Build 13>
Preprocessor Object: SF_SDF (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_GTP (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_REPUTATION (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 <Build 3>
Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 <Build 4>
Preprocessor Object: SF_MODBUS (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_IMAP (IPV6) Version 1.0 <Build 1>
Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9>
Snort successfully validated the configuration!
How comes the sfportmap is not listed in the beginning and closing parts ?
I hope I'll manage to figure out how to have this 'Portscan' BAR able to fill-up with ruby red ^^
---
Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce que la protection avast! Antivirus est
active.
http://www.avast.com
------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- BASE does not fill the BASE Homepage Portscan bar oalabeatrix (Dec 03)