[Snort-users] BASE does not fill the BASE Homepage Portscan bar

oalabeatrix at ...11827... oalabeatrix at ...11827...
Sun Dec 1 13:03:29 EST 2013


Hi. I know this question has been asked several times on the Internet, but I couldn’t manage to solve it. After 2 weeks of working around with Snort, I really wish I could figure this out.

I have two Snort Configs on Debian Wheezy. All packets updated from repository:

SNORT-mysql --> MYSQL --> Apache --> Base

SNORT –> Barnyard2 –> MYSQL –> Apache --> Base

Network Topology ( The SNORT IDS is on a port Mirror ) :

--(Router2)-----------------------------------------
                                                                     |-(Router1)----------------PC1
                                (SNORT IDS)--------------

   \__________192.168.1.0/24______________/   \________192.168.0.0/24_________/


SNORT is Version 2.9.2.2 IPv6 GRE (Build 121) installed from apt-get repository
Barnyard is Version 2.1.13 (Build 327) compiled from sources
MYSQL and APACHE2 are latest version available from apt-get repository
BASE is the latest available verion ( 1.4.5), downloaded and unzipped from sources.


The same phenomenom happens for both SNORT configs: If I do a regular portscan of the 192.168.0.0/24 subnet ( nmap 192.168.0.0/24 ) by PC1, the BASE interface gets populated with alerts, the portscan.log file registers some portscans, and the portscan.log file is aknowledged by BASE if I query a single IP ( unique Destination IP --> choosing an IP --> Portscan ), but the PORTSCAN bar on the BASE homepage remains desesperatly EMPTY.

I'm not sure how to troubleshoot this. Here are the most important parts of my snort.conf file ( the rest is left default and unchanged ) :

#     Compatible with Snort Versions:
#     VERSIONS : 2.9.2.2
.....
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
.....
# Target-Based stateful inspection/stream reassembly.  For more inforation, see README.stream5
preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
.....
# Portscan detection.  For more information, see README.sfportscan
preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { medium } logfile { /var/log/snort/portscan.log }
.....
output alert_syslog: LOG_local0 LOG_ALERT
output log_tcpdump: tcpdump.log
output unified2: filename snort.log, limit 128
.....
# Note for Debian users: The rules preinstalled in the system
# can be *very* out of date. For more information please read
# the /usr/share/doc/snort-rules-default/README.Debian file

# site specific rules
include $RULE_PATH/local.rules

## Note : Following .rules commenting out left unchanged

--------------------------------------------------------------


The /var/log/snort/portscan.log file gets populated like this :

Time: 12/01-15:31:52.988044
event_ref: 0
192.168.0.100 -> 192.168.1.210 (portscan) TCP Portscan
Priority Count: 13
Connection Count: 15
IP Count: 1
Scanner IP Range: 192.168.0.100:192.168.0.100
Port/Proto Count: 15
Port/Proto Range: 23:8080

Time: 12/01-15:31:54.883603
event_ref: 0
192.168.0.100 -> 192.168.1.240 (portscan) TCP Filtered Portscan
Priority Count: 0
Connection Count: 200
IP Count: 1
Scanner IP Range: 192.168.0.100:192.168.0.100
Port/Proto Count: 199
Port/Proto Range: 21:65000

---------------------------------------------------------------------------------------------

The BASE displayed alerts are these :

Displaying alerts 1-11 of 11 total

         < Signature >       < Classification >       < Total # >       Sensor #       < Source Address >       < Dest. Address >       < First >       < Last >
          [snort] ICMP Timestamp Request     misc-activity     11(0%)     1     1     1     2013-11-29 14:20:04     2013-11-29 14:45:29
          [snort] SNMP AgentX/tcp request     attempted-recon     22(1%)     1     1     2     2013-11-29 14:20:04     2013-11-29 17:36:16
          [snort] SNMP request tcp     attempted-recon     22(1%)     1     1     2     2013-11-29 14:20:04     2013-11-29 17:36:17
          [snort] ICMP PING undefined code     misc-activity     15(0%)     1     1     2     2013-11-29 14:20:15     2013-11-29 17:16:58
          [snort] ICMP PING     misc-activity     3548(95%)     1     1     2     2013-11-29 14:20:15     2013-11-30 10:37:33
          [snort] SCAN nmap XMAS     attempted-recon     27(1%)     1     1     2     2013-11-29 14:20:15     2013-11-29 17:16:58
          [snort] ICMP PING NMAP     attempted-recon     54(1%)     1     1     2     2013-11-29 14:20:42     2013-11-29 17:35:56
          [snort] SNMP trap tcp     attempted-recon     11(0%)     1     1     2     2013-11-29 14:20:44     2013-11-29 14:53:11
          [snort] DDOS mstream client to handler     attempted-dos     12(0%)     1     1     2     2013-11-29 14:20:48     2013-11-29 14:54:58
          [snort] MISC Source Port 20 to <1024     bad-unknown     1(0%)     1     1     1     2013-11-29 14:21:49     2013-11-29 14:21:49
          [snort] ICMP traceroute     attempted-recon     1(0%)     1     1     1     2013-11-29 14:58:06     2013-11-29 14:58:06
ACTION

----------------------------------------------------------------------------------------------------------

Finally, If I reset the database, redo the scan, and dump the MySQL database. This do appear in the MySQL that was not there before the scan :

Dumping data for table `signature`
--

LOCK TABLES `signature` WRITE;
/*!40000 ALTER TABLE `signature` DISABLE KEYS */;
INSERT INTO `signature` VALUES (1,'dnp3: DNP3 Application-Layer Fragment uses a reserved function code.',0,0,1,6,145),(2,'dnp3: DNP3 Link-Layer Frame uses a reserved address.',0,0,1,5,145),(3,'dnp3: DNP3 Reassembly Buffer was cleared without reassembling a complete message.',0,0,1,4,145),(4,'dnp3: DNP3 Transport-Layer Segment was dropped during reassembly.',0,0,1,3,145),

.....
.....

(176,'frag3: Fragment packet ends after defragmented packet',0,0,1,4,123),(177,'frag3: Short fragment, possible DoS attempt',0,0,1,3,123),(178,'frag3: Teardrop attack',0,0,1,2,123),(179,'frag3: IP Options on fragmented packet',0,0,1,1,123),(180,'portscan: Open Port',0,0,1,27,122),(181,'portscan: ICMP Filtered Sweep',0,0,1,26,122),(182,'portscan: ICMP Sweep',0,0,1,25,122),(183,'portscan: UDP Filtered Distributed Portscan',0,0,1,24,122),(184,'portscan: UDP Filtered Portsweep',0,0,1,23,122),(185,'portscan: UDP Filtered Decoy Portscan',0,0,1,22,122),(186,'portscan: UDP Filtered Portscan',0,0,1,21,122),(187,'portscan: UDP Distributed Portscan',0,0,1,20,122),(188,'portscan: UDP Portsweep',0,0,1,19,122),(189,'portscan: UDP Decoy Portscan',0,0,1,18,122),(190,'portscan: UDP Portscan',0,0,1,17,122),(191,'portscan: IP Filtered Distributed Protocol Scan',0,0,1,16,122),(192,'portscan: IP Filtered Protocol Sweep',0,0,1,15,122),(193,'portscan: IP Filtered Decoy Protocol Scan',0,0,1,14,122),(194,'portscan: IP Filtered Protocol Scan',0,0,1,13,122),(195,'portscan: IP Distributed Protocol Scan',0,0,1,12,122),(196,'portscan: IP Protocol Sweep',0,0,1,11,122),(197,'portscan: IP Decoy Protocol Scan',0,0,1,10,122),(198,'portscan: IP Protocol Scan',0,0,1,9,122),(199,'portscan: TCP Filtered Distributed Portscan',0,0,1,8,122),(200,'portscan: TCP Filtered Portsweep',0,0,1,7,122),(201,'portscan: TCP Filtered Decoy Portscan',0,0,1,6,122),(202,'portscan: TCP Filtered Portscan',0,0,1,5,122),(203,'portscan: TCP Distributed Portscan',0,0,1,4,122),(204,'portscan: TCP Portsweep',0,0,1,3,122),(205,'portscan: TCP Decoy Portscan',0,0,1,2,122),(206,'portscan: TCP Portscan',0,0,1,1,122),(207,'flow-portscan: Sliding Scale Talker Limit Exceeded',0,0,1,4,121),(208,'flow-portscan: Fixed Scale Talker Limit Exceeded',0,0,1,3,121),(209,'flow-portscan: Sliding Scale Scanner Limit Exceeded',0,0,1,2,121),(210,'flow-portscan: Fixed Scale Scanner Limit Exceeded',0,0,1,1,121),(211,'http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA',0,0,1,11,120)

.....
.....


Does it mean that the Portscan does get detected by the sfportscan preprocessor and sent onto the MySQL database ?
I did notice the the etc/snort/rules/portscan.rules have most rules not tagged with a portscan label, but rules and preprocessor are distinct things right ?
Finally, what puzzles me is these parts of my snort -T output :

Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
  Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inline.

......
......

Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Medium
    Memcap (in bytes): 10000000
    Number of Nodes:   19569
    Logfile:           /var/log/snort/portscan.log
FTPTelnet Config:


.....
.....

Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.15  <Build 18>
           Preprocessor Object: SF_DNP3 (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSH (IPV6)  Version 1.1  <Build 3>
           Preprocessor Object: SF_POP (IPV6)  Version 1.0  <Build 1>
           Preprocessor Object: SF_DNS (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_FTPTELNET (IPV6)  Version 1.2  <Build 13>
           Preprocessor Object: SF_SDF (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_SIP (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_GTP (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_DCERPC2 (IPV6)  Version 1.0  <Build 3>
           Preprocessor Object: SF_SSLPP (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_MODBUS (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_IMAP (IPV6)  Version 1.0  <Build 1>
           Preprocessor Object: SF_SMTP (IPV6)  Version 1.1  <Build 9>

Snort successfully validated the configuration!

How comes the sfportmap is not listed in the beginning and closing parts ?

I hope I'll manage to figure out how to have this 'Portscan' BAR able to fill-up with ruby red ^^


---
Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce que la protection avast! Antivirus est active.
http://www.avast.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131201/41e7ee9b/attachment.html>


More information about the Snort-users mailing list