[Snort-users] Barnyard2 not inputting portscans (was Unified Logging - BASE - Portscans)

James Lay jlay at ...13475...
Wed Jul 27 08:30:41 EDT 2011


Interesting....and guess what...barnyard2 doesn't seem to log portscan
data:

Jul 26 20:34:39 gateway snort[4555]: [122:17:0] (portscan) UDP Portscan
[Priority: 3] {PROTO:255} 205.171.2.25 -> my.ext.ip

A search for 205.171.2.25 came up empty....I think we have our issue.
Time to talk to firnsy mabye?

On 7/27/11 5:48 AM, "Michael Steele" <michaels at ...9077...> wrote:

>James,
>
>Out of curiosity I matched the same two alerts in each BASE console.
>Unified
>logging seems not to be inserting data into the database like it does with
>the output database.
>
>This could be a direct result of the script I'm using as it's still in
>development.
>
>Picture of alert from Unified2 logging:
>http://www.winsnort.com/data/unified.gif
>
>Picture of alert from Output Database logging:
>http://www.winsnort.com/data/output.gif
>
>Kindest regards,
>Michael...
>
>-----Original Message-----
>From: Michael Steele [mailto:michaels at ...9077...]
>Sent: Tuesday, July 26, 2011 11:38 PM
>To: 'James Lay'; 'Snort'
>Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>
>Here is an example of the same alert pulled from each portscan.log file.
>
>Output Database portscan.log entry:
>--------------------\
>Time: 07/26-23:08:45.356955
>event_id: 1797
>10.0.0.3 -> 120.28.64.74 (portscan) TCP Portsweep Priority Count: 5
>Connection Count: 12 IP Count: 10 Scanned IP Range:
>99.154.244.83:180.149.12.86 Port/Proto Count: 10 Port/Proto Range:
>12293:59346 --------------------/
>
>Using Unified2 portscan.log entry:
>--------------------\
>Time: 07/26-23:08:45.371463
>event_id: 1802
>10.0.0.3 -> 120.28.64.74 (portscan) TCP Portsweep Priority Count: 5
>Connection Count: 12 IP Count: 10 Scanned IP Range:
>99.154.244.83:180.149.12.86 Port/Proto Count: 10 Port/Proto Range:
>12293:59346 --------------------/
>
>The portscan.log files look almost identical except for the 'Time:' and
>'event id:' tags. It's really strange that one is processing and the other
>is not.
>
>Hopefully someone that understands how BASE processes the portscans will
>chime in here and make some sense of this?
>
>Kindest regards,
>Michael...
>
>-----Original Message-----
>From: James Lay [mailto:jlay at ...13475...]
>Sent: Tuesday, July 26, 2011 10:26 PM
>To: Michael Steele; Snort
>Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>
>Extremely curious!  Can you:  diff the two portscan files to see if they
>are
>different?  That's all I got...unless BASE reads portscan data from the
>db,
>and snort puts in data into the db differently then barnyard2, then I am
>TOTALLY at a loss..wild!
>
>Thanks for keeping on this.
>
>James
>
>On 7/26/11 8:21 PM, "Michael Steele" <michaels at ...9077...> wrote:
>
>>James,
>>
>>Ok, I restarted two completely separate instances, and they are running
>>simultaneously:
>>
>>VM1: Snort / MySQL / BASE / Unified Logging
>>VM2: Snort / MySQL / BASE / Output Database Logging
>>
>>I am now receiving portscans into the portscan.log file on each VM.
>>
>>VM2 is the only instance that displays the portscans in the BASE console.
>>
>>VM1 is configured with Unified2 logging and is receiving portscans into
>>the portscan.log file but BASE is not processing them.
>>
>>I'm guessing someone needs to jump in here that has some knowledge of
>>how BASE processes the portscans in order to find out why portscans are
>>being logged into the portscan.log file, but not processed when
>>Unified2 logging is used.
>>
>>Kindest regards,
>>Michael...
>>
>>
>>-----Original Message-----
>>From: James Lay [mailto:jlay at ...13475...]
>>Sent: Monday, July 25, 2011 10:28 PM
>>To: Michael Steele; Snort
>>Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>>
>>Done and done...nmaped from another netblock I control...sanitized
>>output.
>>
>>Time: 07/25-20:25:10.421362
>>event_id: 1
>>netblock -> external.ip (portscan) TCP Portscan Priority Count: 5
>>Connection
>>Count: 59 IP Count: 1 Scanner IP Range: netblock ip range Port/Proto
>>Count:
>>62 Port/Proto Range: 21:55600
>>
>>
>>My output lines in snort.conf:
>>
>>output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast:
>>snortalert.fast output log_tcpdump: snort.pcap output unified2:
>>filename snortalert.unified
>>
>>Base still doesn't seem to be able to read it though, which is kind of
>>a drag (even after changing perms to 0644).
>>
>>
>>James
>>
>>
>>
>>On 7/25/11 4:45 PM, "Michael Steele" <michaels at ...9077...> wrote:
>>
>>>James,
>>>
>>>My portscan.log is 0 bytes. If I turn unified logging off, and turn
>>>the output database plugin on, the portscan.log file will populated
>>>with portscan alerts.
>>>
>>>This is strange, so you have unified logging turned on and you are
>>>receiving data into the portscan.log file? Can you verify that it's
>>>really working by stopping the snort service deleting the file and
>>>restarting the snort service to see if alerts will continue to
>>>populate the portscan .log file?
>>>
>>>Kindest regards,
>>>Michael...
>>>
>>>-----Original Message-----
>>>From: Lay, James [mailto:james.lay at ...15009...]
>>>Sent: Monday, July 25, 2011 6:00 PM
>>>To: Michael Steele; snort-users at lists.sourceforge.net
>>>Subject: RE: [Snort-users] Unified Logging - BASE - Portscans
>>>
>>>Hi Michael,
>>>
>>>Now that's odd...my sfportscan line:
>>>
>>>preprocessor sfportscan: proto  { all } memcap { 10000000 }
>>>sense_level { low } logfile { portscan.log }
>>>
>>>And a tail of my portscan.log:
>>>
>>>Time: 07/25-06:37:31.148528
>>>event_id: 750
>>>92.126.55.42 -> external.ip (portscan) UDP Portscan Priority Count: 45
>>>Connection Count: 86 IP Count: 5 Scanner IP Range:
>>>74.50.52.136:92.126.55.42
>>>Port/Proto Count: 5 Port/Proto Range: 6881:44898
>>>
>>>
>>>I'm betting this is a different format from 2009's sfportscan?  I
>>>dunno :(
>>>
>>>James
>>>
>>>> -----Original Message-----
>>>> From: Michael Steele [mailto:michaels at ...9077...]
>>>> Sent: Monday, July 25, 2011 3:23 PM
>>>> To: Lay, James; snort-users at lists.sourceforge.net
>>>> Subject: RE: [Snort-users] Unified Logging - BASE - Portscans
>>>> 
>>>> James,
>>>> 
>>>> Thanks for taking a look. I know there a LOT of users on all
>>>> platforms
>>>still
>>>> using BASE as their console. I was talking to Jason and he tells me
>>>that
>>>> when unified2 logging is used, all alerts go into the unified log
>>>file, and
>>>> I'm assuming that includes portscans.
>>>> 
>>>> Seems someone would have came up with a solution to view portscans
>>>> in
>>>the
>>>> BASE console using unified logging.
>>>> 
>>>> The below is used in order for BASE to grab the portscans, at least
>>>> it worked with 'output database':
>>>> preprocessor sfportscan: proto { all } memcap { 10000000 }
>>>> sense_level
>>>{ low
>>>> } logfile { portscan.log }
>>>> 
>>>> When the above ' preprocessor sfportscan:' is used with unified
>>>logging all
>>>> it does is create the portscan.log file and never injects portscans
>>>into the
>>>> log file.
>>>> 
>>>> I'm not even real sure if the ' preprocessor sfportscan:' is even
>>>needed
>>>> using unified logging method, and I'm not real sure how to turn
>>>portscans on
>>>> wnen using unified2 logging:
>>>> preprocessor sfportscan: proto { all } memcap { 10000000 }
>>>> sense_level
>>>{ low
>>>> }
>>>> 
>>>> And will the above log portscans to the unified log file?
>>>> 
>>>> Kindest regards,
>>>> Michael...
>>>> 
>>>> 
>>>> -----Original Message-----
>>>> From: Lay, James [mailto:james.lay at ...15009...]
>>>> Sent: Monday, July 25, 2011 3:29 PM
>>>> To: Michael Steele; snort-users at lists.sourceforge.net
>>>> Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>>>> 
>>>> > -----Original Message-----
>>>> > From: Michael Steele [mailto:michaels at ...9077...]
>>>> > Sent: Friday, July 22, 2011 9:13 PM
>>>> > To: snort-users at lists.sourceforge.net
>>>> > Subject: [Snort-users] Unified Logging - BASE - Portscans
>>>> >
>>>> > I noticed that moving from output database to unified logging that
>>>> portscans
>>>> > are no longer displayed in the BASE console.
>>>> >
>>>> > Is there a solution to get this feature back to working in BASE?
>>>> >
>>>> > Kindest regards,
>>>> > Michael...
>>>> 
>>>> Michael, FWIW I tried in vain to get this to fly at home...I have
>>>> the portscan.log file being created as well as pointing to the right
>>>> spot
>>>in
>>>> base_conf.php, but nothing shows up.  I suspect it's a difference in
>>>the
>>>> file format from the time BASE was made.  I'm sure an enterprising
>>>soul
>>>> could make the mods to the php files, but that wouldn't be me ;) For
>>>now I
>>>> do without portscan info...BASE gives me what I need without.
>>>> 
>>>> James
>>>> 
>>>>
>>>----------------------------------------------------------------------
>>>-
>>>-
>>>----
>>>> --
>>>> Storage Efficiency Calculator
>>>> This modeling tool is based on patent-pending intellectual property
>>>that has
>>>> been used successfully in hundreds of IBM storage optimization
>>>> engage- ments, worldwide.  Store less, Store more with what you own,
>>>> Move data
>>>to
>>>> the right place. Try It Now!
>>>> http://www.accelacomm.com/jaw/sfnl/114/51427378/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>> 
>>>> Please see http://www.snort.org/docs for documentation
>>>> 
>>>
>>>
>>>
>>>
>>>----------------------------------------------------------------------
>>>-
>>>---
>>>----
>>>Storage Efficiency Calculator
>>>This modeling tool is based on patent-pending intellectual property
>>>that has been used successfully in hundreds of IBM storage
>>>optimization
>>>engage- ments, worldwide.  Store less, Store more with what you own,
>>>Move data to the right place. Try It Now!
>>>http://www.accelacomm.com/jaw/sfnl/114/51427378/
>>>_______________________________________________
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or unsubscribe:
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive:
>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>Please see http://www.snort.org/docs for documentation
>>
>>
>>
>>-----------------------------------------------------------------------
>>---
>>--
>>--
>>Magic Quadrant for Content-Aware Data Loss Prevention Research study
>>explores the data loss prevention market. Includes in-depth analysis on
>>the changes within the DLP market, and the criteria used to evaluate
>>the strengths and weaknesses of these DLP solutions.
>>http://www.accelacomm.com/jaw/sfnl/114/51385063/
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>Please see http://www.snort.org/docs for documentation
>>
>
>
>
>--------------------------------------------------------------------------
>--
>--
>Got Input?   Slashdot Needs You.
>Take our quick survey online.  Come on, we don't ask for help often.
>Plus, you'll get a chance to win $100 to spend on ThinkGeek.
>http://p.sf.net/sfu/slashdot-survey
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>Please see http://www.snort.org/docs for documentation
>
>
>
>--------------------------------------------------------------------------
>--
>--
>Got Input?   Slashdot Needs You.
>Take our quick survey online.  Come on, we don't ask for help often.
>Plus, you'll get a chance to win $100 to spend on ThinkGeek.
>http://p.sf.net/sfu/slashdot-survey
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>Please see http://www.snort.org/docs for documentation
>
>
>
>--------------------------------------------------------------------------
>----
>Got Input?   Slashdot Needs You.
>Take our quick survey online.  Come on, we don't ask for help often.
>Plus, you'll get a chance to win $100 to spend on ThinkGeek.
>http://p.sf.net/sfu/slashdot-survey
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>Please see http://www.snort.org/docs for documentation






More information about the Snort-users mailing list