[Snort-users] Unified Logging - BASE - Portscans

Jason Brvenik jasonb at ...1935...
Sat Jul 30 20:28:37 EDT 2011


There are several issues going on here. Lets separate them.

1) Unified2 logging changing (apparently) the way portscan.log
2) portscan.log not being processed by BASE as generated with unified logging on
3) A misunderstanding about unified logging
4) (UNSTATED BUT KNOWN) the current database schema being incapable of
accepting protocol 255 for events

Issue #1 needs to go to the snort team
Issue #2 needs to go to the BASE team
Issue #3 is solved simply.
  - Unified logging does NOTHING with databases, it only writes to a file
  - Something takes that file and puts the data into a database or other format.
    - That something is typically barnyard2 AND/OR
    - SnortUnified.pm derived utilities

Issue #4 cannot be solved without changing the database, ignoring the
events, or modifying (as part of the post processing) the protocol
used for portscan packets. The community / barnyard2 team (as I
understand DB schema has been taken up by them) needs to adjusted.

On Wed, Jul 27, 2011 at 7:48 AM, Michael Steele <michaels at ...9077...> wrote:
> James,
>
> Out of curiosity I matched the same two alerts in each BASE console. Unified
> logging seems not to be inserting data into the database like it does with
> the output database.
>
> This could be a direct result of the script I'm using as it's still in
> development.
>
> Picture of alert from Unified2 logging:
> http://www.winsnort.com/data/unified.gif
>
> Picture of alert from Output Database logging:
> http://www.winsnort.com/data/output.gif
>
> Kindest regards,
> Michael...
>
> -----Original Message-----
> From: Michael Steele [mailto:michaels at ...9077...]
> Sent: Tuesday, July 26, 2011 11:38 PM
> To: 'James Lay'; 'Snort'
> Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>
> Here is an example of the same alert pulled from each portscan.log file.
>
> Output Database portscan.log entry:
> --------------------\
> Time: 07/26-23:08:45.356955
> event_id: 1797
> 10.0.0.3 -> 120.28.64.74 (portscan) TCP Portsweep Priority Count: 5
> Connection Count: 12 IP Count: 10 Scanned IP Range:
> 99.154.244.83:180.149.12.86 Port/Proto Count: 10 Port/Proto Range:
> 12293:59346 --------------------/
>
> Using Unified2 portscan.log entry:
> --------------------\
> Time: 07/26-23:08:45.371463
> event_id: 1802
> 10.0.0.3 -> 120.28.64.74 (portscan) TCP Portsweep Priority Count: 5
> Connection Count: 12 IP Count: 10 Scanned IP Range:
> 99.154.244.83:180.149.12.86 Port/Proto Count: 10 Port/Proto Range:
> 12293:59346 --------------------/
>
> The portscan.log files look almost identical except for the 'Time:' and
> 'event id:' tags. It's really strange that one is processing and the other
> is not.
>
> Hopefully someone that understands how BASE processes the portscans will
> chime in here and make some sense of this?
>
> Kindest regards,
> Michael...
>
> -----Original Message-----
> From: James Lay [mailto:jlay at ...13475...]
> Sent: Tuesday, July 26, 2011 10:26 PM
> To: Michael Steele; Snort
> Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>
> Extremely curious!  Can you:  diff the two portscan files to see if they are
> different?  That's all I got...unless BASE reads portscan data from the db,
> and snort puts in data into the db differently then barnyard2, then I am
> TOTALLY at a loss..wild!
>
> Thanks for keeping on this.
>
> James
>
> On 7/26/11 8:21 PM, "Michael Steele" <michaels at ...9077...> wrote:
>
>>James,
>>
>>Ok, I restarted two completely separate instances, and they are running
>>simultaneously:
>>
>>VM1: Snort / MySQL / BASE / Unified Logging
>>VM2: Snort / MySQL / BASE / Output Database Logging
>>
>>I am now receiving portscans into the portscan.log file on each VM.
>>
>>VM2 is the only instance that displays the portscans in the BASE console.
>>
>>VM1 is configured with Unified2 logging and is receiving portscans into
>>the portscan.log file but BASE is not processing them.
>>
>>I'm guessing someone needs to jump in here that has some knowledge of
>>how BASE processes the portscans in order to find out why portscans are
>>being logged into the portscan.log file, but not processed when
>>Unified2 logging is used.
>>
>>Kindest regards,
>>Michael...
>>
>>
>>-----Original Message-----
>>From: James Lay [mailto:jlay at ...13475...]
>>Sent: Monday, July 25, 2011 10:28 PM
>>To: Michael Steele; Snort
>>Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>>
>>Done and done...nmaped from another netblock I control...sanitized output.
>>
>>Time: 07/25-20:25:10.421362
>>event_id: 1
>>netblock -> external.ip (portscan) TCP Portscan Priority Count: 5
>>Connection
>>Count: 59 IP Count: 1 Scanner IP Range: netblock ip range Port/Proto
>>Count:
>>62 Port/Proto Range: 21:55600
>>
>>
>>My output lines in snort.conf:
>>
>>output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast:
>>snortalert.fast output log_tcpdump: snort.pcap output unified2:
>>filename snortalert.unified
>>
>>Base still doesn't seem to be able to read it though, which is kind of
>>a drag (even after changing perms to 0644).
>>
>>
>>James
>>
>>
>>
>>On 7/25/11 4:45 PM, "Michael Steele" <michaels at ...9077...> wrote:
>>
>>>James,
>>>
>>>My portscan.log is 0 bytes. If I turn unified logging off, and turn
>>>the output database plugin on, the portscan.log file will populated
>>>with portscan alerts.
>>>
>>>This is strange, so you have unified logging turned on and you are
>>>receiving data into the portscan.log file? Can you verify that it's
>>>really working by stopping the snort service deleting the file and
>>>restarting the snort service to see if alerts will continue to
>>>populate the portscan .log file?
>>>
>>>Kindest regards,
>>>Michael...
>>>
>>>-----Original Message-----
>>>From: Lay, James [mailto:james.lay at ...15009...]
>>>Sent: Monday, July 25, 2011 6:00 PM
>>>To: Michael Steele; snort-users at lists.sourceforge.net
>>>Subject: RE: [Snort-users] Unified Logging - BASE - Portscans
>>>
>>>Hi Michael,
>>>
>>>Now that's odd...my sfportscan line:
>>>
>>>preprocessor sfportscan: proto  { all } memcap { 10000000 }
>>>sense_level { low } logfile { portscan.log }
>>>
>>>And a tail of my portscan.log:
>>>
>>>Time: 07/25-06:37:31.148528
>>>event_id: 750
>>>92.126.55.42 -> external.ip (portscan) UDP Portscan Priority Count: 45
>>>Connection Count: 86 IP Count: 5 Scanner IP Range:
>>>74.50.52.136:92.126.55.42
>>>Port/Proto Count: 5 Port/Proto Range: 6881:44898
>>>
>>>
>>>I'm betting this is a different format from 2009's sfportscan?  I
>>>dunno :(
>>>
>>>James
>>>
>>>> -----Original Message-----
>>>> From: Michael Steele [mailto:michaels at ...9077...]
>>>> Sent: Monday, July 25, 2011 3:23 PM
>>>> To: Lay, James; snort-users at lists.sourceforge.net
>>>> Subject: RE: [Snort-users] Unified Logging - BASE - Portscans
>>>>
>>>> James,
>>>>
>>>> Thanks for taking a look. I know there a LOT of users on all
>>>> platforms
>>>still
>>>> using BASE as their console. I was talking to Jason and he tells me
>>>that
>>>> when unified2 logging is used, all alerts go into the unified log
>>>file, and
>>>> I'm assuming that includes portscans.
>>>>
>>>> Seems someone would have came up with a solution to view portscans
>>>> in
>>>the
>>>> BASE console using unified logging.
>>>>
>>>> The below is used in order for BASE to grab the portscans, at least
>>>> it worked with 'output database':
>>>> preprocessor sfportscan: proto { all } memcap { 10000000 }
>>>> sense_level
>>>{ low
>>>> } logfile { portscan.log }
>>>>
>>>> When the above ' preprocessor sfportscan:' is used with unified
>>>logging all
>>>> it does is create the portscan.log file and never injects portscans
>>>into the
>>>> log file.
>>>>
>>>> I'm not even real sure if the ' preprocessor sfportscan:' is even
>>>needed
>>>> using unified logging method, and I'm not real sure how to turn
>>>portscans on
>>>> wnen using unified2 logging:
>>>> preprocessor sfportscan: proto { all } memcap { 10000000 }
>>>> sense_level
>>>{ low
>>>> }
>>>>
>>>> And will the above log portscans to the unified log file?
>>>>
>>>> Kindest regards,
>>>> Michael...
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Lay, James [mailto:james.lay at ...15009...]
>>>> Sent: Monday, July 25, 2011 3:29 PM
>>>> To: Michael Steele; snort-users at lists.sourceforge.net
>>>> Subject: Re: [Snort-users] Unified Logging - BASE - Portscans
>>>>
>>>> > -----Original Message-----
>>>> > From: Michael Steele [mailto:michaels at ...9077...]
>>>> > Sent: Friday, July 22, 2011 9:13 PM
>>>> > To: snort-users at lists.sourceforge.net
>>>> > Subject: [Snort-users] Unified Logging - BASE - Portscans
>>>> >
>>>> > I noticed that moving from output database to unified logging that
>>>> portscans
>>>> > are no longer displayed in the BASE console.
>>>> >
>>>> > Is there a solution to get this feature back to working in BASE?
>>>> >
>>>> > Kindest regards,
>>>> > Michael...
>>>>
>>>> Michael, FWIW I tried in vain to get this to fly at home...I have
>>>> the portscan.log file being created as well as pointing to the right
>>>> spot
>>>in
>>>> base_conf.php, but nothing shows up.  I suspect it's a difference in
>>>the
>>>> file format from the time BASE was made.  I'm sure an enterprising
>>>soul
>>>> could make the mods to the php files, but that wouldn't be me ;) For
>>>now I
>>>> do without portscan info...BASE gives me what I need without.
>>>>
>>>> James
>>>>
>>>>
>>>----------------------------------------------------------------------
>>>-
>>>-
>>>----
>>>> --
>>>> Storage Efficiency Calculator
>>>> This modeling tool is based on patent-pending intellectual property
>>>that has
>>>> been used successfully in hundreds of IBM storage optimization
>>>> engage- ments, worldwide.  Store less, Store more with what you own,
>>>> Move data
>>>to
>>>> the right place. Try It Now!
>>>> http://www.accelacomm.com/jaw/sfnl/114/51427378/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please see http://www.snort.org/docs for documentation
>>>>
>>>
>>>
>>>
>>>
>>>----------------------------------------------------------------------
>>>-
>>>---
>>>----
>>>Storage Efficiency Calculator
>>>This modeling tool is based on patent-pending intellectual property
>>>that has been used successfully in hundreds of IBM storage
>>>optimization
>>>engage- ments, worldwide.  Store less, Store more with what you own,
>>>Move data to the right place. Try It Now!
>>>http://www.accelacomm.com/jaw/sfnl/114/51427378/
>>>_______________________________________________
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or unsubscribe:
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive:
>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>Please see http://www.snort.org/docs for documentation
>>
>>
>>
>>-----------------------------------------------------------------------
>>---
>>--
>>--
>>Magic Quadrant for Content-Aware Data Loss Prevention Research study
>>explores the data loss prevention market. Includes in-depth analysis on
>>the changes within the DLP market, and the criteria used to evaluate
>>the strengths and weaknesses of these DLP solutions.
>>http://www.accelacomm.com/jaw/sfnl/114/51385063/
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>Please see http://www.snort.org/docs for documentation
>>
>
>
>
> ----------------------------------------------------------------------------
> --
> Got Input?   Slashdot Needs You.
> Take our quick survey online.  Come on, we don't ask for help often.
> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> http://p.sf.net/sfu/slashdot-survey
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>
>
>
> ----------------------------------------------------------------------------
> --
> Got Input?   Slashdot Needs You.
> Take our quick survey online.  Come on, we don't ask for help often.
> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> http://p.sf.net/sfu/slashdot-survey
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>
>
>
> ------------------------------------------------------------------------------
> Got Input?   Slashdot Needs You.
> Take our quick survey online.  Come on, we don't ask for help often.
> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> http://p.sf.net/sfu/slashdot-survey
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>



-- 
Regards,

Jason.




More information about the Snort-users mailing list