Snort mailing list archives

Re: Snort + sfPortscan + Barnyard2

From: Antonio Piepoli <piepoli.antonio () gmail com>
Date: Tue, 11 Mar 2014 20:28:02 +0100

Yes that thread is a bit out of date. I've also searched - a bit- on the
archives of this mailing list but without success.

Maybe it's true that is hard to tune the preprocessor but I did not notice
that was so hungry of resources.


2014-03-11 19:44 GMT+01:00 Maxwell, Jamison [HDS] <JMaxwell () pbp1 com>:

I found this on the snort google group
https://groups.google.com/forum/#!topic/mailing.unix.snort/TgJbigmGpSQ .



It basically says that the BY2 guys are working on a solution for
databasing these logs, but that was two years ago.  Maybe some of the
Barnyard2 folks can comment?



To be honest, I’ve never played with this preprocessor until now, I don’t
really care who scans, to be honest, but in turning it on I’ve noticed that
it’s chock full of false positives, even at the lowest alerting threshold,
and has increased my load by about thirty percent, and memory usage through
the roof.  Seriously, it ate my swapfile.  I don’t think I’ll be using this
preprocessor much.





Jamison Maxwell



*From:* Antonio Piepoli [mailto:piepoli.antonio () gmail com]
*Sent:* Tuesday, March 11, 2014 1:12 PM

*To:* Maxwell, Jamison [HDS]; snort-users () lists sourceforge net
*Subject:* Re: Snort + sfPortscan + Barnyard2



Thank you,

I've already read that part of documentation and I'm glad to see that I'm
not the only one who thinks it is a bit obscure :) .

Hope someone can help.

Antonio

Il 11/03/2014 17:24, Maxwell, Jamison [HDS] ha scritto:

Yes, Barnyard2 only processes unified2 format files, but you should be
able to change  the output to unified in snort.conf.  I’m not sure quite
how though, as I’ve never really monkeyed to much with separate
preprocessor logs, but it looks like there’s some info about it starting on
line 213 in doc/README.sfportscan.



*(unified)*



*In order to get all the portscan information logged with the alert, snort*

*generates a pseudo-packet and uses the payload portion to store the
additional*

*portscan information of priority count, connection count, IP count, port
count,*

*IP range, and port range.  The characteristics of the packet are:*



*Src/Dst MAC Addr == MACDAD*

*IP Protocol == 255*

*IP TTL == 0*



*Other than that, the packet looks like the IP portion of the packet that
caused*

*the portscan alert to be generated.  This includes any IP options, etc.
The*

*payload and payload size of the packet is equal to the length of the
additional*

*portscan information that is logged.  The size tends to be around 100 -
200*

*bytes.*



*Open port alerts differ from the other portscan alerts, because open port
alerts*

*utilize the tagged packet output system.  This means that if an output
system*

*that doesn't print tagged packets is used, then the user won't see open
port*

*alerts.  The open port information is stored in the IP payload and*

*contains the port that is open.*



*The sfPortscan alert output was designed to work with unified packet
logging, so*

*it is possible to extend favorite snort GUIs to display portscan alerts
and the*

*additional information in the IP payload using the above packet
characteristics.*



Though, I’m don’t think this information is very clear.  Also, you’re
specifying merged.log in your -f option, which is processing
/var/log/snort/merged.log, not portscan.log, but it would need to be
unified anyway.







Jamison Maxwell




*From:* Antonio Piepoli [mailto:piepoli.antonio () gmail com<piepoli.antonio () gmail com>]

*Sent:* Tuesday, March 11, 2014 12:12 PM
*To:* Maxwell, Jamison [HDS]; snort-users () lists sourceforge net
*Subject:* Re: Snort + sfPortscan + Barnyard2



First of all thank you for the assistance,

I'm running barnyard with this command:

*/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d
/var/log/snort -f merged.log -D*

In the config file of barnyard it's written nowhere to process
portscan.log (I knew it was trivial).

Actually I think I'm missing something. The file portscan.log is written
in cleartext while merged.log is unified2, is it not mandatory for barnyard
to read files in unified2 file format? Does snort have to update *merged.log
*to include sfportscan's alerts?


Thanks,
Antonio

Il 11/03/2014 16:55, Maxwell, Jamison [HDS] ha scritto:

The first thing I would do is ensure that portscan.log is being processed by barnyard2.  You should see this in 
/var/log/messages, but you can also turn on mysql logging and watch the INSERT queries.  In my configuration, on 
RHEL, the config file you specify the lag to parse is /etc/sysconfig/barnyard2.









Jamison Maxwell

Sr. Systems Administrator



-----Original Message-----

From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net 
<snort-users-request () lists sourceforge net>]

Sent: Tuesday, March 11, 2014 10:34 AM

To: snort-users () lists sourceforge net

Subject: Snort-users Digest, Vol 94, Issue 24



Send Snort-users mailing list submissions to

  snort-users () lists sourceforge net



To subscribe or unsubscribe via the World Wide Web, visit

  https://lists.sourceforge.net/lists/listinfo/snort-users

or, via email, send a message with subject or body 'help' to

  snort-users-request () lists sourceforge net



You can reach the person managing the list at

  snort-users-owner () lists sourceforge net



When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..."




-- 
Antonio Piepoli

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort + sfPortscan + Barnyard2 Maxwell, Jamison [HDS] (Mar 11)
- Re: Snort + sfPortscan + Barnyard2 Antonio Piepoli (Mar 11)
  - Re: Snort + sfPortscan + Barnyard2 Maxwell, Jamison [HDS] (Mar 11)
    - Re: Snort + sfPortscan + Barnyard2 Antonio Piepoli (Mar 11)
    - Re: Snort + sfPortscan + Barnyard2 Maxwell, Jamison [HDS] (Mar 11)
    - Re: Snort + sfPortscan + Barnyard2 Antonio Piepoli (Mar 11)
    - Re: Snort + sfPortscan + Barnyard2 beenph (Mar 11)
    - Re: Snort + sfPortscan + Barnyard2 Antonio Piepoli (Mar 12)
    - Re: Snort + sfPortscan + Barnyard2 beenph (Mar 12)
    - Re: Snort + sfPortscan + Barnyard2 Antonio Piepoli (Mar 12)