Re: Snort + sfPortscan + Barnyard2

["Maxwell, Jamison [HDS]" <JMaxwell () PBP1 COM>]

I found this on the snort google group https://groups.google.com/forum/#!topic/mailing.unix.snort/TgJbigmGpSQ .

It basically says that the BY2 guys are working on a solution for databasing these logs, but that was two years ago.  
Maybe some of the Barnyard2 folks can comment?

To be honest, I've never played with this preprocessor until now, I don't really care who scans, to be honest, but in 
turning it on I've noticed that it's chock full of false positives, even at the lowest alerting threshold, and has 
increased my load by about thirty percent, and memory usage through the roof.  Seriously, it ate my swapfile.  I don't 
think I'll be using this preprocessor much.


Jamison Maxwell


From: Antonio Piepoli [mailto:piepoli.antonio () gmail com]
Sent: Tuesday, March 11, 2014 1:12 PM
To: Maxwell, Jamison [HDS]; snort-users () lists sourceforge net
Subject: Re: Snort + sfPortscan + Barnyard2

Thank you,

I've already read that part of documentation and I'm glad to see that I'm not the only one who thinks it is a bit 
obscure :) .

Hope someone can help.

Antonio
Il 11/03/2014 17:24, Maxwell, Jamison [HDS] ha scritto:
Yes, Barnyard2 only processes unified2 format files, but you should be able to change  the output to unified in 
snort.conf.  I'm not sure quite how though, as I've never really monkeyed to much with separate preprocessor logs, but 
it looks like there's some info about it starting on line 213 in doc/README.sfportscan.

(unified)

In order to get all the portscan information logged with the alert, snort
generates a pseudo-packet and uses the payload portion to store the additional
portscan information of priority count, connection count, IP count, port count,
IP range, and port range.  The characteristics of the packet are:

Src/Dst MAC Addr == MACDAD
IP Protocol == 255
IP TTL == 0

Other than that, the packet looks like the IP portion of the packet that caused
the portscan alert to be generated.  This includes any IP options, etc.  The
payload and payload size of the packet is equal to the length of the additional
portscan information that is logged.  The size tends to be around 100 - 200
bytes.

Open port alerts differ from the other portscan alerts, because open port alerts
utilize the tagged packet output system.  This means that if an output system
that doesn't print tagged packets is used, then the user won't see open port
alerts.  The open port information is stored in the IP payload and
contains the port that is open.

The sfPortscan alert output was designed to work with unified packet logging, so
it is possible to extend favorite snort GUIs to display portscan alerts and the
additional information in the IP payload using the above packet characteristics.

Though, I'm don't think this information is very clear.  Also, you're specifying merged.log in your -f option, which is 
processing /var/log/snort/merged.log, not portscan.log, but it would need to be unified anyway.



Jamison Maxwell



From: Antonio Piepoli [mailto:piepoli.antonio () gmail com]
Sent: Tuesday, March 11, 2014 12:12 PM
To: Maxwell, Jamison [HDS]; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: Snort + sfPortscan + Barnyard2

First of all thank you for the assistance,

I'm running barnyard with this command:

/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d /var/log/snort -f merged.log -D

In the config file of barnyard it's written nowhere to process portscan.log (I knew it was trivial).

Actually I think I'm missing something. The file portscan.log is written in cleartext while merged.log is unified2, is 
it not mandatory for barnyard to read files in unified2 file format? Does snort have to update merged.log  to include 
sfportscan's alerts?


Thanks,
Antonio
Il 11/03/2014 16:55, Maxwell, Jamison [HDS] ha scritto:

The first thing I would do is ensure that portscan.log is being processed by barnyard2.  You should see this in 
/var/log/messages, but you can also turn on mysql logging and watch the INSERT queries.  In my configuration, on RHEL, 
the config file you specify the lag to parse is /etc/sysconfig/barnyard2.









Jamison Maxwell

Sr. Systems Administrator



-----Original Message-----

From: snort-users-request () lists sourceforge net<mailto:snort-users-request () lists sourceforge net> 
[mailto:snort-users-request () lists sourceforge net]

Sent: Tuesday, March 11, 2014 10:34 AM

To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>

Subject: Snort-users Digest, Vol 94, Issue 24



Send Snort-users mailing list submissions to

  snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>



To subscribe or unsubscribe via the World Wide Web, visit

  https://lists.sourceforge.net/lists/listinfo/snort-users

or, via email, send a message with subject or body 'help' to

  snort-users-request () lists sourceforge net<mailto:snort-users-request () lists sourceforge net>



You can reach the person managing the list at

  snort-users-owner () lists sourceforge net<mailto:snort-users-owner () lists sourceforge net>



When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..."


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!