[Snort-users] Barnyard2 not inputting portscans (was Unified Logging - BASE - Portscans)

James Lay jlay at ...13475...
Wed Jul 27 08:50:30 EDT 2011


Just confirmed.....with going direct to mysql from snort with no barnyard,
I TOTALLY not only get a portscan entry, but also an "Open port: ****"
entry: 

(portscan) TCP Portscan: 21:49157
(portscan) Open Port: 53


But now I see I even see yon "Portscan Traffic (< 1%) on the BASE
mainscreen.  Nice sleuthing job Michael!  I'll be sticking with direct to
db from snort until this is fixed.

James

On 7/27/11 6:30 AM, "James Lay" <jlay at ...13475...> wrote:

>Interesting....and guess what...barnyard2 doesn't seem to log portscan
>data:
>
>Jul 26 20:34:39 gateway snort[4555]: [122:17:0] (portscan) UDP Portscan
>[Priority: 3] {PROTO:255} 205.171.2.25 -> my.ext.ip
>
>A search for 205.171.2.25 came up empty....I think we have our issue.
>Time to talk to firnsy mabye?
>
>On 7/27/11 5:48 AM, "Michael Steele" <michaels at ...9077...> wrote:
>
>>James,
>>
>>Out of curiosity I matched the same two alerts in each BASE console.
>>Unified
>>logging seems not to be inserting data into the database like it does
>>with
>>the output database.
>>
>>This could be a direct result of the script I'm using as it's still in
>>development.
>>
>>Picture of alert from Unified2 logging:
>>http://www.winsnort.com/data/unified.gif
>>
>>Picture of alert from Output Database logging:
>>http://www.winsnort.com/data/output.gif
>>
>>Kindest regards,
>>Michael...
>>
>>-----Original Message-----
>>From: Michael Steele [mailto:michaels at ...9077...]
>>Sent: Tuesday, July 26, 2011 11:38 PM
>>To: 'James Lay'; 'Snort'
>>Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>>
>>Here is an example of the same alert pulled from each portscan.log file.
>>
>>Output Database portscan.log entry:
>>--------------------\
>>Time: 07/26-23:08:45.356955
>>event_id: 1797
>>10.0.0.3 -> 120.28.64.74 (portscan) TCP Portsweep Priority Count: 5
>>Connection Count: 12 IP Count: 10 Scanned IP Range:
>>99.154.244.83:180.149.12.86 Port/Proto Count: 10 Port/Proto Range:
>>12293:59346 --------------------/
>>
>>Using Unified2 portscan.log entry:
>>--------------------\
>>Time: 07/26-23:08:45.371463
>>event_id: 1802
>>10.0.0.3 -> 120.28.64.74 (portscan) TCP Portsweep Priority Count: 5
>>Connection Count: 12 IP Count: 10 Scanned IP Range:
>>99.154.244.83:180.149.12.86 Port/Proto Count: 10 Port/Proto Range:
>>12293:59346 --------------------/
>>
>>The portscan.log files look almost identical except for the 'Time:' and
>>'event id:' tags. It's really strange that one is processing and the
>>other
>>is not.
>>
>>Hopefully someone that understands how BASE processes the portscans will
>>chime in here and make some sense of this?
>>
>>Kindest regards,
>>Michael...
>>
>>-----Original Message-----
>>From: James Lay [mailto:jlay at ...13475...]
>>Sent: Tuesday, July 26, 2011 10:26 PM
>>To: Michael Steele; Snort
>>Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>>
>>Extremely curious!  Can you:  diff the two portscan files to see if they
>>are
>>different?  That's all I got...unless BASE reads portscan data from the
>>db,
>>and snort puts in data into the db differently then barnyard2, then I am
>>TOTALLY at a loss..wild!
>>
>>Thanks for keeping on this.
>>
>>James
>>
>>On 7/26/11 8:21 PM, "Michael Steele" <michaels at ...9077...> wrote:
>>
>>>James,
>>>
>>>Ok, I restarted two completely separate instances, and they are running
>>>simultaneously:
>>>
>>>VM1: Snort / MySQL / BASE / Unified Logging
>>>VM2: Snort / MySQL / BASE / Output Database Logging
>>>
>>>I am now receiving portscans into the portscan.log file on each VM.
>>>
>>>VM2 is the only instance that displays the portscans in the BASE
>>>console.
>>>
>>>VM1 is configured with Unified2 logging and is receiving portscans into
>>>the portscan.log file but BASE is not processing them.
>>>
>>>I'm guessing someone needs to jump in here that has some knowledge of
>>>how BASE processes the portscans in order to find out why portscans are
>>>being logged into the portscan.log file, but not processed when
>>>Unified2 logging is used.
>>>
>>>Kindest regards,
>>>Michael...
>>>
>>>
>>>-----Original Message-----
>>>From: James Lay [mailto:jlay at ...13475...]
>>>Sent: Monday, July 25, 2011 10:28 PM
>>>To: Michael Steele; Snort
>>>Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>>>
>>>Done and done...nmaped from another netblock I control...sanitized
>>>output.
>>>
>>>Time: 07/25-20:25:10.421362
>>>event_id: 1
>>>netblock -> external.ip (portscan) TCP Portscan Priority Count: 5
>>>Connection
>>>Count: 59 IP Count: 1 Scanner IP Range: netblock ip range Port/Proto
>>>Count:
>>>62 Port/Proto Range: 21:55600
>>>
>>>
>>>My output lines in snort.conf:
>>>
>>>output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast:
>>>snortalert.fast output log_tcpdump: snort.pcap output unified2:
>>>filename snortalert.unified
>>>
>>>Base still doesn't seem to be able to read it though, which is kind of
>>>a drag (even after changing perms to 0644).
>>>
>>>
>>>James
>>>
>>>
>>>
>>>On 7/25/11 4:45 PM, "Michael Steele" <michaels at ...9077...> wrote:
>>>
>>>>James,
>>>>
>>>>My portscan.log is 0 bytes. If I turn unified logging off, and turn
>>>>the output database plugin on, the portscan.log file will populated
>>>>with portscan alerts.
>>>>
>>>>This is strange, so you have unified logging turned on and you are
>>>>receiving data into the portscan.log file? Can you verify that it's
>>>>really working by stopping the snort service deleting the file and
>>>>restarting the snort service to see if alerts will continue to
>>>>populate the portscan .log file?
>>>>
>>>>Kindest regards,
>>>>Michael...
>>>>
>>>>-----Original Message-----
>>>>From: Lay, James [mailto:james.lay at ...15009...]
>>>>Sent: Monday, July 25, 2011 6:00 PM
>>>>To: Michael Steele; snort-users at lists.sourceforge.net
>>>>Subject: RE: [Snort-users] Unified Logging - BASE - Portscans
>>>>
>>>>Hi Michael,
>>>>
>>>>Now that's odd...my sfportscan line:
>>>>
>>>>preprocessor sfportscan: proto  { all } memcap { 10000000 }
>>>>sense_level { low } logfile { portscan.log }
>>>>
>>>>And a tail of my portscan.log:
>>>>
>>>>Time: 07/25-06:37:31.148528
>>>>event_id: 750
>>>>92.126.55.42 -> external.ip (portscan) UDP Portscan Priority Count: 45
>>>>Connection Count: 86 IP Count: 5 Scanner IP Range:
>>>>74.50.52.136:92.126.55.42
>>>>Port/Proto Count: 5 Port/Proto Range: 6881:44898
>>>>
>>>>
>>>>I'm betting this is a different format from 2009's sfportscan?  I
>>>>dunno :(
>>>>
>>>>James
>>>>
>>>>> -----Original Message-----
>>>>> From: Michael Steele [mailto:michaels at ...9077...]
>>>>> Sent: Monday, July 25, 2011 3:23 PM
>>>>> To: Lay, James; snort-users at lists.sourceforge.net
>>>>> Subject: RE: [Snort-users] Unified Logging - BASE - Portscans
>>>>> 
>>>>> James,
>>>>> 
>>>>> Thanks for taking a look. I know there a LOT of users on all
>>>>> platforms
>>>>still
>>>>> using BASE as their console. I was talking to Jason and he tells me
>>>>that
>>>>> when unified2 logging is used, all alerts go into the unified log
>>>>file, and
>>>>> I'm assuming that includes portscans.
>>>>> 
>>>>> Seems someone would have came up with a solution to view portscans
>>>>> in
>>>>the
>>>>> BASE console using unified logging.
>>>>> 
>>>>> The below is used in order for BASE to grab the portscans, at least
>>>>> it worked with 'output database':
>>>>> preprocessor sfportscan: proto { all } memcap { 10000000 }
>>>>> sense_level
>>>>{ low
>>>>> } logfile { portscan.log }
>>>>> 
>>>>> When the above ' preprocessor sfportscan:' is used with unified
>>>>logging all
>>>>> it does is create the portscan.log file and never injects portscans
>>>>into the
>>>>> log file.
>>>>> 
>>>>> I'm not even real sure if the ' preprocessor sfportscan:' is even
>>>>needed
>>>>> using unified logging method, and I'm not real sure how to turn
>>>>portscans on
>>>>> wnen using unified2 logging:
>>>>> preprocessor sfportscan: proto { all } memcap { 10000000 }
>>>>> sense_level
>>>>{ low
>>>>> }
>>>>> 
>>>>> And will the above log portscans to the unified log file?
>>>>> 
>>>>> Kindest regards,
>>>>> Michael...
>>>>> 
>>>>> 
>>>>> -----Original Message-----
>>>>> From: Lay, James [mailto:james.lay at ...15009...]
>>>>> Sent: Monday, July 25, 2011 3:29 PM
>>>>> To: Michael Steele; snort-users at lists.sourceforge.net
>>>>> Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>>>>> 
>>>>> > -----Original Message-----
>>>>> > From: Michael Steele [mailto:michaels at ...9077...]
>>>>> > Sent: Friday, July 22, 2011 9:13 PM
>>>>> > To: snort-users at lists.sourceforge.net
>>>>> > Subject: [Snort-users] Unified Logging - BASE - Portscans
>>>>> >
>>>>> > I noticed that moving from output database to unified logging that
>>>>> portscans
>>>>> > are no longer displayed in the BASE console.
>>>>> >
>>>>> > Is there a solution to get this feature back to working in BASE?
>>>>> >
>>>>> > Kindest regards,
>>>>> > Michael...
>>>>> 
>>>>> Michael, FWIW I tried in vain to get this to fly at home...I have
>>>>> the portscan.log file being created as well as pointing to the right
>>>>> spot
>>>>in
>>>>> base_conf.php, but nothing shows up.  I suspect it's a difference in
>>>>the
>>>>> file format from the time BASE was made.  I'm sure an enterprising
>>>>soul
>>>>> could make the mods to the php files, but that wouldn't be me ;) For
>>>>now I
>>>>> do without portscan info...BASE gives me what I need without.
>>>>> 
>>>>> James
>>>>> 
>>>>>
>>>>----------------------------------------------------------------------
>>>>-
>>>>-
>>>>----
>>>>> --
>>>>> Storage Efficiency Calculator
>>>>> This modeling tool is based on patent-pending intellectual property
>>>>that has
>>>>> been used successfully in hundreds of IBM storage optimization
>>>>> engage- ments, worldwide.  Store less, Store more with what you own,
>>>>> Move data
>>>>to
>>>>> the right place. Try It Now!
>>>>> http://www.accelacomm.com/jaw/sfnl/114/51427378/
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>> 
>>>>> Please see http://www.snort.org/docs for documentation
>>>>> 
>>>>
>>>>
>>>>
>>>>
>>>>----------------------------------------------------------------------
>>>>-
>>>>---
>>>>----
>>>>Storage Efficiency Calculator
>>>>This modeling tool is based on patent-pending intellectual property
>>>>that has been used successfully in hundreds of IBM storage
>>>>optimization
>>>>engage- ments, worldwide.  Store less, Store more with what you own,
>>>>Move data to the right place. Try It Now!
>>>>http://www.accelacomm.com/jaw/sfnl/114/51427378/
>>>>_______________________________________________
>>>>Snort-users mailing list
>>>>Snort-users at lists.sourceforge.net
>>>>Go to this URL to change user options or unsubscribe:
>>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>Snort-users list archive:
>>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>>Please see http://www.snort.org/docs for documentation
>>>
>>>
>>>
>>>-----------------------------------------------------------------------
>>>---
>>>--
>>>--
>>>Magic Quadrant for Content-Aware Data Loss Prevention Research study
>>>explores the data loss prevention market. Includes in-depth analysis on
>>>the changes within the DLP market, and the criteria used to evaluate
>>>the strengths and weaknesses of these DLP solutions.
>>>http://www.accelacomm.com/jaw/sfnl/114/51385063/
>>>_______________________________________________
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or unsubscribe:
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive:
>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>Please see http://www.snort.org/docs for documentation
>>>
>>
>>
>>
>>-------------------------------------------------------------------------
>>-
>>--
>>--
>>Got Input?   Slashdot Needs You.
>>Take our quick survey online.  Come on, we don't ask for help often.
>>Plus, you'll get a chance to win $100 to spend on ThinkGeek.
>>http://p.sf.net/sfu/slashdot-survey
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>Please see http://www.snort.org/docs for documentation
>>
>>
>>
>>-------------------------------------------------------------------------
>>-
>>--
>>--
>>Got Input?   Slashdot Needs You.
>>Take our quick survey online.  Come on, we don't ask for help often.
>>Plus, you'll get a chance to win $100 to spend on ThinkGeek.
>>http://p.sf.net/sfu/slashdot-survey
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>Please see http://www.snort.org/docs for documentation
>>
>>
>>
>>-------------------------------------------------------------------------
>>-
>>----
>>Got Input?   Slashdot Needs You.
>>Take our quick survey online.  Come on, we don't ask for help often.
>>Plus, you'll get a chance to win $100 to spend on ThinkGeek.
>>http://p.sf.net/sfu/slashdot-survey
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>Please see http://www.snort.org/docs for documentation
>
>
>
>--------------------------------------------------------------------------
>----
>Got Input?   Slashdot Needs You.
>Take our quick survey online.  Come on, we don't ask for help often.
>Plus, you'll get a chance to win $100 to spend on ThinkGeek.
>http://p.sf.net/sfu/slashdot-survey
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>Please see http://www.snort.org/docs for documentation






More information about the Snort-users mailing list