Re: Snorby Snort or Barnyard scrambles IPs

[Ilja Schumacher <ilja.schumacher () gmail com>]

Hi guys,

Barnyard2 actually reads everything fine from the u2 logs. All parts of the
alarms are shown correctly in DB and snortby except the IPHDR.source and
IPHDR.destinations columns.

I have run search functions over the whole system. No u2spewfoo found
anywhere. So I guess the snort-Debian-Wheezy-ARMEL package does indeed not
have it.

Until now I could not see any barnyard traffic over the eth or lo interface
because i had it configured to use "localhost" causing it to use the socket
instead of lo interface.
Changed to 127.0.0.1. Now I see the mysql statements barnyard2 inserting in
clear text as you said.

Result: Barnyard2 is inserting wrong values like 3232255270 =
*192.168.77.38*
While u2 logs (i can only read them in HEX which is still ok) show the
correct adresses.

So the current status is:
Snort => snort.u2.log = correct
snort.u2.log => Barnyard2 => DB = 3rd and 4th bytes of IPHDR.source and
IPHDR.destination are swiched and padded with rubbish for some reason.

I will bring up the issue in the mailinglist of barnyard-users (thanks for
the link) and report back.

@Alex: Already checked that. Obfuscate IPs is disabled on my system atm.

Cheers and Thanks
Ilja




2014-03-31 18:01 GMT+02:00 Jeremy Hoel <jthoel () gmail com>:

So the u2 tools are part of the snort package and should be even on debian.
>   "u2spewfoo" lets you look at the u2 files, dumps what they contain in a
> readable format.
>
> So it from your notes it seems BY2 isn't readying the U2 right, or not
> sending it to mysql correctly.  BY2 should send the communication to the DB
> over plain text (according your config) so should see the bad IP going over
> the wire when it reads the u2 file.
>
> Elz (beenph) is one of the authors of BY2 and there is a mailing list for
> support and since I'm not a coder he might have some better ideas.
>
> https://groups.google.com/forum/#!forum/barnyard2-users
>
> looking at past archives I don't see any threads related to running BY2 on
> arm, so I don't know that it has or has not already been looked at.  It is
> odd that it gets part of the IP, but not all of it.
>
>
>
>
>
>
>
> On Mon, Mar 31, 2014 at 4:05 AM, Ilja Schumacher <
> ilja.schumacher () gmail com> wrote:
>
> > Hi Jeremy, thanks for your reply:
> >
> >
> > MYSQL:
> >
> > Example Event in Database sid 1 cid 1:
> > ipsrc is: 3232246349 = 11000000101010000010101001001101 = 192.168.42.77
> > Which is totaly wrong already because my test network is on
> > 192.168.1.0/24
> > So Snorby is not the villian here.
> >
> > BARNYARD-ALERTS-LOG
> >
> >  Barnyard2 alerts log also reports wrong ips.
> > Example Alert:
> > ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc
> > Attack] [Priority: 2] {TCP} 218.77.8.206:34958 -> 192.168.79.34:80
> > The Destination IP is clearly not addressable in my lab network.
> >
> > SNORT U2-LOG:
> > As i have the debian package installed and it has no u2 log converter
> > bundled i used a hex editor:
> > I have alerts in snorby that are 100% directed towards my testlab
> > asterisk on 192.168.1.4
> >
> > Which would be HEX C0:A8:01:04.
> > The u2 log clearly shows several accurances of this value matching the
> > count of the events corresponding to 192.168.1.4 in snorby.
> >
> > So there is something wrong in barnyard2 because the u2 log is correct
> > but it somehow writes wrong values into the database.
> >
> > The barnyard2 config is completely stock except for the following line:
> >
> > output database: log, mysql, user=someuser password=somepassword
> > dbname=snorby host=localhost
> >
> > The snort config has:
> > output unified2: filename snort.log, limit 128
> >
> > Barnyard2 is started this way:
> > barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w
> > /etc/snort/bylog.waldo
> >
> > All other files needed like gen-msg.map sid-msg.map and classifications
> > etc. are in the default locations or defined in snort.conf.
> >
> > Thanks again for your help.
> >
> > Cheers
> > Ilja
> >
> >
> >
> > 2014-03-31 9:07 GMT+02:00 Jeremy Hoel <jthoel () gmail com>:
> >
> > Start with the beginning.. does TCP dump always show the right IP, then
> > > does the u2 files show the right IPs (and in syslog if you have that
> > > output)?  sniff the traffic and see if BY2 is sending the right IP and then
> > > check the db and ensure that it's being stored as the right IP.  I'm
> > > thinking it might have something to do with how the DB is storing the IP,
> > > but that's just a guess.
> > >
> > > if you go through each of these spots it might help narrow down the
> > > problem, and maybe in the end it's a snorby issue and you can bring it up
> > > on that mailing list.. but it's a good idea to check the other bits first.
> > >
> > >
> > > On Mon, Mar 31, 2014 at 2:57 AM, Ilja Schumacher <
> > > ilja.schumacher () gmail com> wrote:
> > >
> > > > Hey fellows,
> > > >
> > > > I have just finished setting up snort barnyard mysql pulledpork and
> > > > snorby in an ARM5 box.
> > > >
> > > > Everything works very nice except that snorby shows totally scrambled
> > > > IPS for source and destination.
> > > >
> > > > Example:
> > > > Real source 82.56.35.23
> > > > Real destination 192.168.1.13
> > > >
> > > > Snorby shows:
> > > > Source 82.56.XX1.13
> > > > Destination 192.168.X35.23
> > > >
> > > > X is 1 most of the time.
> > > >
> > > > Setup is:
> > > > Internet. Firewall/NAT. LanportMirror. Snort.
> > > >
> > > > Do you have a clue what may cause such strange behaviour?
> > > >
> > > > Cheers
> > > > Ilja
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > Snort news!
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!