[Snort-users] Unified Logging - BASE - Portscans

James Lay jlay at ...13475...
Tue Jul 26 22:25:55 EDT 2011


Extremely curious!  Can you:  diff the two portscan files to see if they
are different?  That's all I got...unless BASE reads portscan data from
the db, and snort puts in data into the db differently then barnyard2,
then I am TOTALLY at a loss..wild!

Thanks for keeping on this.

James

On 7/26/11 8:21 PM, "Michael Steele" <michaels at ...9077...> wrote:

>James,
>
>Ok, I restarted two completely separate instances, and they are running
>simultaneously:
>
>VM1: Snort / MySQL / BASE / Unified Logging
>VM2: Snort / MySQL / BASE / Output Database Logging
>
>I am now receiving portscans into the portscan.log file on each VM.
>
>VM2 is the only instance that displays the portscans in the BASE console.
>
>VM1 is configured with Unified2 logging and is receiving portscans into
>the
>portscan.log file but BASE is not processing them.
>
>I'm guessing someone needs to jump in here that has some knowledge of how
>BASE processes the portscans in order to find out why portscans are being
>logged into the portscan.log file, but not processed when Unified2 logging
>is used.
>
>Kindest regards,
>Michael...
>
>
>-----Original Message-----
>From: James Lay [mailto:jlay at ...13475...]
>Sent: Monday, July 25, 2011 10:28 PM
>To: Michael Steele; Snort
>Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>
>Done and done...nmaped from another netblock I control...sanitized output.
>
>Time: 07/25-20:25:10.421362
>event_id: 1
>netblock -> external.ip (portscan) TCP Portscan Priority Count: 5
>Connection
>Count: 59 IP Count: 1 Scanner IP Range: netblock ip range Port/Proto
>Count:
>62 Port/Proto Range: 21:55600
>
>
>My output lines in snort.conf:
>
>output alert_syslog: LOG_AUTH LOG_ALERT
>output alert_fast: snortalert.fast
>output log_tcpdump: snort.pcap
>output unified2: filename snortalert.unified
>
>Base still doesn't seem to be able to read it though, which is kind of a
>drag (even after changing perms to 0644).
>
>
>James
>
>
>
>On 7/25/11 4:45 PM, "Michael Steele" <michaels at ...9077...> wrote:
>
>>James,
>>
>>My portscan.log is 0 bytes. If I turn unified logging off, and turn the
>>output database plugin on, the portscan.log file will populated with
>>portscan alerts.
>>
>>This is strange, so you have unified logging turned on and you are
>>receiving data into the portscan.log file? Can you verify that it's
>>really working by stopping the snort service deleting the file and
>>restarting the snort service to see if alerts will continue to populate
>>the portscan .log file?
>>
>>Kindest regards,
>>Michael...
>>
>>-----Original Message-----
>>From: Lay, James [mailto:james.lay at ...15009...]
>>Sent: Monday, July 25, 2011 6:00 PM
>>To: Michael Steele; snort-users at lists.sourceforge.net
>>Subject: RE: [Snort-users] Unified Logging - BASE - Portscans
>>
>>Hi Michael,
>>
>>Now that's odd...my sfportscan line:
>>
>>preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level
>>{ low } logfile { portscan.log }
>>
>>And a tail of my portscan.log:
>>
>>Time: 07/25-06:37:31.148528
>>event_id: 750
>>92.126.55.42 -> external.ip (portscan) UDP Portscan Priority Count: 45
>>Connection Count: 86 IP Count: 5 Scanner IP Range:
>>74.50.52.136:92.126.55.42
>>Port/Proto Count: 5 Port/Proto Range: 6881:44898
>>
>>
>>I'm betting this is a different format from 2009's sfportscan?  I dunno
>>:(
>>
>>James
>>
>>> -----Original Message-----
>>> From: Michael Steele [mailto:michaels at ...9077...]
>>> Sent: Monday, July 25, 2011 3:23 PM
>>> To: Lay, James; snort-users at lists.sourceforge.net
>>> Subject: RE: [Snort-users] Unified Logging - BASE - Portscans
>>> 
>>> James,
>>> 
>>> Thanks for taking a look. I know there a LOT of users on all
>>> platforms
>>still
>>> using BASE as their console. I was talking to Jason and he tells me
>>that
>>> when unified2 logging is used, all alerts go into the unified log
>>file, and
>>> I'm assuming that includes portscans.
>>> 
>>> Seems someone would have came up with a solution to view portscans in
>>the
>>> BASE console using unified logging.
>>> 
>>> The below is used in order for BASE to grab the portscans, at least
>>> it worked with 'output database':
>>> preprocessor sfportscan: proto { all } memcap { 10000000 }
>>> sense_level
>>{ low
>>> } logfile { portscan.log }
>>> 
>>> When the above ' preprocessor sfportscan:' is used with unified
>>logging all
>>> it does is create the portscan.log file and never injects portscans
>>into the
>>> log file.
>>> 
>>> I'm not even real sure if the ' preprocessor sfportscan:' is even
>>needed
>>> using unified logging method, and I'm not real sure how to turn
>>portscans on
>>> wnen using unified2 logging:
>>> preprocessor sfportscan: proto { all } memcap { 10000000 }
>>> sense_level
>>{ low
>>> }
>>> 
>>> And will the above log portscans to the unified log file?
>>> 
>>> Kindest regards,
>>> Michael...
>>> 
>>> 
>>> -----Original Message-----
>>> From: Lay, James [mailto:james.lay at ...15009...]
>>> Sent: Monday, July 25, 2011 3:29 PM
>>> To: Michael Steele; snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>>> 
>>> > -----Original Message-----
>>> > From: Michael Steele [mailto:michaels at ...9077...]
>>> > Sent: Friday, July 22, 2011 9:13 PM
>>> > To: snort-users at lists.sourceforge.net
>>> > Subject: [Snort-users] Unified Logging - BASE - Portscans
>>> >
>>> > I noticed that moving from output database to unified logging that
>>> portscans
>>> > are no longer displayed in the BASE console.
>>> >
>>> > Is there a solution to get this feature back to working in BASE?
>>> >
>>> > Kindest regards,
>>> > Michael...
>>> 
>>> Michael, FWIW I tried in vain to get this to fly at home...I have the
>>> portscan.log file being created as well as pointing to the right spot
>>in
>>> base_conf.php, but nothing shows up.  I suspect it's a difference in
>>the
>>> file format from the time BASE was made.  I'm sure an enterprising
>>soul
>>> could make the mods to the php files, but that wouldn't be me ;)  For
>>now I
>>> do without portscan info...BASE gives me what I need without.
>>> 
>>> James
>>> 
>>>
>>-----------------------------------------------------------------------
>>-
>>----
>>> --
>>> Storage Efficiency Calculator
>>> This modeling tool is based on patent-pending intellectual property
>>that has
>>> been used successfully in hundreds of IBM storage optimization
>>> engage- ments, worldwide.  Store less, Store more with what you own,
>>> Move data
>>to
>>> the right place. Try It Now!
>>> http://www.accelacomm.com/jaw/sfnl/114/51427378/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>>> Please see http://www.snort.org/docs for documentation
>>> 
>>
>>
>>
>>
>>-----------------------------------------------------------------------
>>---
>>----
>>Storage Efficiency Calculator
>>This modeling tool is based on patent-pending intellectual property
>>that has been used successfully in hundreds of IBM storage optimization
>>engage- ments, worldwide.  Store less, Store more with what you own,
>>Move data to the right place. Try It Now!
>>http://www.accelacomm.com/jaw/sfnl/114/51427378/
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>Please see http://www.snort.org/docs for documentation
>
>
>
>--------------------------------------------------------------------------
>--
>--
>Magic Quadrant for Content-Aware Data Loss Prevention Research study
>explores the data loss prevention market. Includes in-depth analysis on
>the
>changes within the DLP market, and the criteria used to evaluate the
>strengths and weaknesses of these DLP solutions.
>http://www.accelacomm.com/jaw/sfnl/114/51385063/
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>Please see http://www.snort.org/docs for documentation
>






More information about the Snort-users mailing list