Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort + sfPortscan + Barnyard2

From: beenph <beenph () gmail com>
Date: Tue, 11 Mar 2014 19:32:36 -0400
 Well im not sure i follow the cross talk here hence i top post.
But as long as your portscan events are logged in the unified2 file
you can ignore
the portscan.log file since the data it contains will also be present
in the unified2 format.

You can allways use the unified2 reader tool file provided with snort
source code (if you build snort from source) called u2sprewfoo
to see that your portscan events are written to your unified2 file.

Make sure you use barnyard2-1.13 , and i would even suggest that you run bug-fix
here: https://github.com/firnsy/barnyard2
bugfix: https://github.com/binf/barnyard2/tree/bug-fix-release

Cheers,
-elz


On Tue, Mar 11, 2014 at 3:28 PM, Antonio Piepoli
<piepoli.antonio () gmail com> wrote:

Yes that thread is a bit out of date. I've also searched - a bit- on the
archives of this mailing list but without success.

Maybe it's true that is hard to tune the preprocessor but I did not notice
that was so hungry of resources.


2014-03-11 19:44 GMT+01:00 Maxwell, Jamison [HDS] <JMaxwell () pbp1 com>:


I found this on the snort google group
https://groups.google.com/forum/#!topic/mailing.unix.snort/TgJbigmGpSQ .



It basically says that the BY2 guys are working on a solution for
databasing these logs, but that was two years ago.  Maybe some of the
Barnyard2 folks can comment?



To be honest, I've never played with this preprocessor until now, I don't
really care who scans, to be honest, but in turning it on I've noticed that
it's chock full of false positives, even at the lowest alerting threshold,
and has increased my load by about thirty percent, and memory usage through
the roof.  Seriously, it ate my swapfile.  I don't think I'll be using this
preprocessor much.





Jamison Maxwell



From: Antonio Piepoli [mailto:piepoli.antonio () gmail com]
Sent: Tuesday, March 11, 2014 1:12 PM


To: Maxwell, Jamison [HDS]; snort-users () lists sourceforge net
Subject: Re: Snort + sfPortscan + Barnyard2



Thank you,

I've already read that part of documentation and I'm glad to see that I'm
not the only one who thinks it is a bit obscure :) .

Hope someone can help.

Antonio

Il 11/03/2014 17:24, Maxwell, Jamison [HDS] ha scritto:

Yes, Barnyard2 only processes unified2 format files, but you should be
able to change  the output to unified in snort.conf.  I'm not sure quite how
though, as I've never really monkeyed to much with separate preprocessor
logs, but it looks like there's some info about it starting on line 213 in
doc/README.sfportscan.



(unified)



In order to get all the portscan information logged with the alert, snort

generates a pseudo-packet and uses the payload portion to store the
additional

portscan information of priority count, connection count, IP count, port
count,

IP range, and port range.  The characteristics of the packet are:



Src/Dst MAC Addr == MACDAD

IP Protocol == 255

IP TTL == 0



Other than that, the packet looks like the IP portion of the packet that
caused

the portscan alert to be generated.  This includes any IP options, etc.
The

payload and payload size of the packet is equal to the length of the
additional

portscan information that is logged.  The size tends to be around 100 -
200

bytes.



Open port alerts differ from the other portscan alerts, because open port
alerts

utilize the tagged packet output system.  This means that if an output
system

that doesn't print tagged packets is used, then the user won't see open
port

alerts.  The open port information is stored in the IP payload and

contains the port that is open.



The sfPortscan alert output was designed to work with unified packet
logging, so

it is possible to extend favorite snort GUIs to display portscan alerts
and the

additional information in the IP payload using the above packet
characteristics.



Though, I'm don't think this information is very clear.  Also, you're
specifying merged.log in your -f option, which is processing
/var/log/snort/merged.log, not portscan.log, but it would need to be unified
anyway.







Jamison Maxwell




From: Antonio Piepoli [mailto:piepoli.antonio () gmail com]
Sent: Tuesday, March 11, 2014 12:12 PM
To: Maxwell, Jamison [HDS]; snort-users () lists sourceforge net
Subject: Re: Snort + sfPortscan + Barnyard2



First of all thank you for the assistance,

I'm running barnyard with this command:

/usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d
/var/log/snort -f merged.log -D

In the config file of barnyard it's written nowhere to process
portscan.log (I knew it was trivial).

Actually I think I'm missing something. The file portscan.log is written
in cleartext while merged.log is unified2, is it not mandatory for barnyard
to read files in unified2 file format? Does snort have to update merged.log
to include sfportscan's alerts?


Thanks,
Antonio

Il 11/03/2014 16:55, Maxwell, Jamison [HDS] ha scritto:

The first thing I would do is ensure that portscan.log is being processed
by barnyard2.  You should see this in /var/log/messages, but you can also
turn on mysql logging and watch the INSERT queries.  In my configuration, on
RHEL, the config file you specify the lag to parse is
/etc/sysconfig/barnyard2.









Jamison Maxwell

Sr. Systems Administrator



-----Original Message-----

From: snort-users-request () lists sourceforge net
[mailto:snort-users-request () lists sourceforge net]

Sent: Tuesday, March 11, 2014 10:34 AM

To: snort-users () lists sourceforge net

Subject: Snort-users Digest, Vol 94, Issue 24



Send Snort-users mailing list submissions to

  snort-users () lists sourceforge net



To subscribe or unsubscribe via the World Wide Web, visit

  https://lists.sourceforge.net/lists/listinfo/snort-users

or, via email, send a message with subject or body 'help' to

  snort-users-request () lists sourceforge net



You can reach the person managing the list at

  snort-users-owner () lists sourceforge net



When replying, please edit your Subject line so it is more specific than
"Re: Contents of Snort-users digest..."









--
Antonio Piepoli

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: