[Snort-users] Tcpdump, alerts and portscans

Jason Lewis jlewis at ...1831...
Mon Jun 25 18:58:33 EDT 2001


That is exactly what I am doing.

Here is my sensor command line.

snort -A full -b -c rules.conf -d -D -e -h 192.168.0.0/24 -i eth0 -l
/var/log/snort/snort.log

Here is my master console command line.  This reads in the tcpdump files
from the above sensor.

/usr/local/bin/snort -u snort -g snort -d -c /etc/snort/snort.conf -r
/var/log/snort/snort.log

It has been working well.  Are there any switches I am missing that might
make things better?

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.





-----Original Message-----
From: Phil Wood [mailto:cpw at ...440...]
Sent: Monday, June 25, 2001 6:48 PM
To: Jason Lewis
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Tcpdump, alerts and portscans


On Mon, Jun 25, 2001 at 02:46:19PM -0400, Jason Lewis wrote:
> Yeah, I thought I had solved it.  I was using -A full on the command line
> and that overrides the config file.  But, portscans are not making it into
> ACID.
>
> Couldn't a replay do the same thing on the tcpdump file?  I mean doesn't
it
> seem possible that a processor could look at the tcpdump file and store
the
> same info and make the same conclusions about connections?

If you have a full tcpdump of all packets on your net, then you can do a
post process using snort with the output database plugin enabled and get
the portscans in acid along with the alerts.  (the alerts will have complete
ip/proto/data, the portscans will be summary info with no associated
packet data.

>
> Maybe I can log portscans to a file and then insert those into ACID?  It
> doesn't look like there is anything fancy happening with portscans when
they
> are put into ACID normally?  Does that sound like it might work?

In my circumstance, gige feed, over 500 million packets a day,
and the fact that we are a national lab(average 400,000 scans a day);
I've decided to leave the scans in the scan file, and summarize them out
of band so to speak.

Also, what's nice about acid is the complete breakout of the various layers
of protocol.  The current implementation of portscan does not provide that
kind of data.  Acid will take the alerts from portscan and
put them in a bucket, but there is not a "packet" to go with it.  At least
it used to be that way.

>
> Jason Lewis
> http://www.packetnexus.com
> It's not secure "Because they told me it was secure".
> The people at the other end of the link know less
> about security than you do. And that's scary.
>
>
>
>
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Phil Wood
> Sent: Monday, June 25, 2001 10:41 AM
> To: Jason Lewis
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Tcpdump, alerts and portscans
>
>
> I think there is more to it than that.  The -A full only means that the
> entire packet that caused the alert is decoded.  The -b option will write
> any packet to a pcap file that was found by a snort RULE.
>
> However, the portscan preprocessor is accumulating information in memory
> which can lead to the conclusion that a scan is taking place.  It will
> format alert type messages and pass them to the output processor, but not
> log (pcap style) the packets that caused it to come to that conclusion.
> Also, it will generate a file with a timestamp, source host/port and
> destination
> host/port for packet.  But, this is not something that you can replay into
> snort
>
> On Mon, Jun 25, 2001 at 03:01:50AM -0400, Jason Lewis wrote:
> > So, I wake up at 2:30am and realize what the problem is.  A case of lack
> of
> > sleep and tunnel vision.  I somehow missed the -A full on the command
line
> > for the instance of snort reading the tcpdump file.
> >
> > Sometimes just writing it down and letting it bounce around in your
brain
> is
> > the thing to do.  Thanks for listening.  ;)
> >
> > Jason Lewis
> > http://www.packetnexus.com
> > It's not secure "Because they told me it was secure".
> > The people at the other end of the link know less
> > about security than you do. And that's scary.
> >
> >
> >
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jason Lewis
> > Sent: Sunday, June 24, 2001 10:40 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Tcpdump, alerts and portscans
> >
> >
> > Maybe I have been looking at this too long and I am not seeing the
> obvious.
> > Or, maybe I made an assumption about tcpdump.
> >
> > I am replaying tcpdump files with snort and putting the info into ACID.
I
> > am not seeing any portscans in ACID after the replay.  Is this normal?
Is
> > it just a configuration setting I have overlooked?  I thought tcpdump
held
> > all the packet info and snort could replay it and identify portscans.
> > Wrong?
> >
> > On the box that is replaying the tcpdump files, I have the following:
> >
> > output database: log, mysql, dbname=snort_log user=snort host=localhost
> > password=abc123
> > output database: alert, mysql, dbname=snort_log user=snort
host=localhost
> > password=abc123
> >
> > What am I missing?
> >
> > Jason Lewis
> > http://www.packetnexus.com
> > It's not secure "Because they told me it was secure".
> > The people at the other end of the link know less
> > about security than you do. And that's scary.
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Phil Wood, cpw at ...440...
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list