[Snort-users] Unified Logging - BASE - Portscans

James Lay jlay at ...13475...
Mon Jul 25 22:28:26 EDT 2011


Done and done...nmaped from another netblock I control...sanitized output.

Time: 07/25-20:25:10.421362
event_id: 1
netblock -> external.ip (portscan) TCP Portscan
Priority Count: 5
Connection Count: 59
IP Count: 1
Scanner IP Range: netblock ip range
Port/Proto Count: 62
Port/Proto Range: 21:55600


My output lines in snort.conf:

output alert_syslog: LOG_AUTH LOG_ALERT
output alert_fast: snortalert.fast
output log_tcpdump: snort.pcap
output unified2: filename snortalert.unified

Base still doesn't seem to be able to read it though, which is kind of a
drag (even after changing perms to 0644).


James



On 7/25/11 4:45 PM, "Michael Steele" <michaels at ...9077...> wrote:

>James,
>
>My portscan.log is 0 bytes. If I turn unified logging off, and turn the
>output database plugin on, the portscan.log file will populated with
>portscan alerts.
>
>This is strange, so you have unified logging turned on and you are
>receiving
>data into the portscan.log file? Can you verify that it's really working
>by
>stopping the snort service deleting the file and restarting the snort
>service to see if alerts will continue to populate the portscan .log file?
>
>Kindest regards,
>Michael...
>
>-----Original Message-----
>From: Lay, James [mailto:james.lay at ...15009...]
>Sent: Monday, July 25, 2011 6:00 PM
>To: Michael Steele; snort-users at lists.sourceforge.net
>Subject: RE: [Snort-users] Unified Logging - BASE - Portscans
>
>Hi Michael,
>
>Now that's odd...my sfportscan line:
>
>preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level {
>low } logfile { portscan.log }
>
>And a tail of my portscan.log:
>
>Time: 07/25-06:37:31.148528
>event_id: 750
>92.126.55.42 -> external.ip (portscan) UDP Portscan Priority Count: 45
>Connection Count: 86 IP Count: 5 Scanner IP Range:
>74.50.52.136:92.126.55.42
>Port/Proto Count: 5 Port/Proto Range: 6881:44898
>
>
>I'm betting this is a different format from 2009's sfportscan?  I dunno :(
>
>James
>
>> -----Original Message-----
>> From: Michael Steele [mailto:michaels at ...9077...]
>> Sent: Monday, July 25, 2011 3:23 PM
>> To: Lay, James; snort-users at lists.sourceforge.net
>> Subject: RE: [Snort-users] Unified Logging - BASE - Portscans
>> 
>> James,
>> 
>> Thanks for taking a look. I know there a LOT of users on all platforms
>still
>> using BASE as their console. I was talking to Jason and he tells me
>that
>> when unified2 logging is used, all alerts go into the unified log
>file, and
>> I'm assuming that includes portscans.
>> 
>> Seems someone would have came up with a solution to view portscans in
>the
>> BASE console using unified logging.
>> 
>> The below is used in order for BASE to grab the portscans, at least it
>> worked with 'output database':
>> preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level
>{ low
>> } logfile { portscan.log }
>> 
>> When the above ' preprocessor sfportscan:' is used with unified
>logging all
>> it does is create the portscan.log file and never injects portscans
>into the
>> log file.
>> 
>> I'm not even real sure if the ' preprocessor sfportscan:' is even
>needed
>> using unified logging method, and I'm not real sure how to turn
>portscans on
>> wnen using unified2 logging:
>> preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level
>{ low
>> }
>> 
>> And will the above log portscans to the unified log file?
>> 
>> Kindest regards,
>> Michael...
>> 
>> 
>> -----Original Message-----
>> From: Lay, James [mailto:james.lay at ...15009...]
>> Sent: Monday, July 25, 2011 3:29 PM
>> To: Michael Steele; snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>> 
>> > -----Original Message-----
>> > From: Michael Steele [mailto:michaels at ...9077...]
>> > Sent: Friday, July 22, 2011 9:13 PM
>> > To: snort-users at lists.sourceforge.net
>> > Subject: [Snort-users] Unified Logging - BASE - Portscans
>> >
>> > I noticed that moving from output database to unified logging that
>> portscans
>> > are no longer displayed in the BASE console.
>> >
>> > Is there a solution to get this feature back to working in BASE?
>> >
>> > Kindest regards,
>> > Michael...
>> 
>> Michael, FWIW I tried in vain to get this to fly at home...I have the
>> portscan.log file being created as well as pointing to the right spot
>in
>> base_conf.php, but nothing shows up.  I suspect it's a difference in
>the
>> file format from the time BASE was made.  I'm sure an enterprising
>soul
>> could make the mods to the php files, but that wouldn't be me ;)  For
>now I
>> do without portscan info...BASE gives me what I need without.
>> 
>> James
>> 
>>
>------------------------------------------------------------------------
>----
>> --
>> Storage Efficiency Calculator
>> This modeling tool is based on patent-pending intellectual property
>that has
>> been used successfully in hundreds of IBM storage optimization engage-
>> ments, worldwide.  Store less, Store more with what you own, Move data
>to
>> the right place. Try It Now!
>> http://www.accelacomm.com/jaw/sfnl/114/51427378/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please see http://www.snort.org/docs for documentation
>> 
>
>
>
>
>--------------------------------------------------------------------------
>----
>Storage Efficiency Calculator
>This modeling tool is based on patent-pending intellectual property that
>has been used successfully in hundreds of IBM storage optimization engage-
>ments, worldwide.  Store less, Store more with what you own, Move data to
>the right place. Try It Now!
>http://www.accelacomm.com/jaw/sfnl/114/51427378/
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>Please see http://www.snort.org/docs for documentation






More information about the Snort-users mailing list