[Snort-users] Snorby Snort or Barnyard scrambles IPs

Ilja Schumacher ilja.schumacher at ...11827...
Tue Apr 1 04:12:15 EDT 2014


Hi guys,

Barnyard2 actually reads everything fine from the u2 logs. All parts of the
alarms are shown correctly in DB and snortby except the IPHDR.source and
IPHDR.destinations columns.

I have run search functions over the whole system. No u2spewfoo found
anywhere. So I guess the snort-Debian-Wheezy-ARMEL package does indeed not
have it.

Until now I could not see any barnyard traffic over the eth or lo interface
because i had it configured to use "localhost" causing it to use the socket
instead of lo interface.
Changed to 127.0.0.1. Now I see the mysql statements barnyard2 inserting in
clear text as you said.

Result: Barnyard2 is inserting wrong values like 3232255270 =
*192.168.77.38*
While u2 logs (i can only read them in HEX which is still ok) show the
correct adresses.

So the current status is:
Snort => snort.u2.log = correct
snort.u2.log => Barnyard2 => DB = 3rd and 4th bytes of IPHDR.source and
IPHDR.destination are swiched and padded with rubbish for some reason.

I will bring up the issue in the mailinglist of barnyard-users (thanks for
the link) and report back.

@Alex: Already checked that. Obfuscate IPs is disabled on my system atm.

Cheers and Thanks
Ilja




2014-03-31 18:01 GMT+02:00 Jeremy Hoel <jthoel at ...11827...>:

So the u2 tools are part of the snort package and should be even on debian.
>   "u2spewfoo" lets you look at the u2 files, dumps what they contain in a
> readable format.
>
> So it from your notes it seems BY2 isn't readying the U2 right, or not
> sending it to mysql correctly.  BY2 should send the communication to the DB
> over plain text (according your config) so should see the bad IP going over
> the wire when it reads the u2 file.
>
> Elz (beenph) is one of the authors of BY2 and there is a mailing list for
> support and since I'm not a coder he might have some better ideas.
>
> https://groups.google.com/forum/#!forum/barnyard2-users
>
> looking at past archives I don't see any threads related to running BY2 on
> arm, so I don't know that it has or has not already been looked at.  It is
> odd that it gets part of the IP, but not all of it.
>
>
>
>
>
>
>
> On Mon, Mar 31, 2014 at 4:05 AM, Ilja Schumacher <
> ilja.schumacher at ...11827...> wrote:
>
>> Hi Jeremy, thanks for your reply:
>>
>>
>> MYSQL:
>>
>> Example Event in Database sid 1 cid 1:
>> ipsrc is: 3232246349 = 11000000101010000010101001001101 = 192.168.42.77
>> Which is totaly wrong already because my test network is on
>> 192.168.1.0/24
>> So Snorby is not the villian here.
>>
>> BARNYARD-ALERTS-LOG
>>
>>  Barnyard2 alerts log also reports wrong ips.
>> Example Alert:
>> ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc
>> Attack] [Priority: 2] {TCP} 218.77.8.206:34958 -> 192.168.79.34:80
>> The Destination IP is clearly not addressable in my lab network.
>>
>> SNORT U2-LOG:
>> As i have the debian package installed and it has no u2 log converter
>> bundled i used a hex editor:
>> I have alerts in snorby that are 100% directed towards my testlab
>> asterisk on 192.168.1.4
>>
>> Which would be HEX C0:A8:01:04.
>> The u2 log clearly shows several accurances of this value matching the
>> count of the events corresponding to 192.168.1.4 in snorby.
>>
>> So there is something wrong in barnyard2 because the u2 log is correct
>> but it somehow writes wrong values into the database.
>>
>> The barnyard2 config is completely stock except for the following line:
>>
>> output database: log, mysql, user=someuser password=somepassword
>> dbname=snorby host=localhost
>>
>> The snort config has:
>> output unified2: filename snort.log, limit 128
>>
>> Barnyard2 is started this way:
>> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w
>> /etc/snort/bylog.waldo
>>
>> All other files needed like gen-msg.map sid-msg.map and classifications
>> etc. are in the default locations or defined in snort.conf.
>>
>> Thanks again for your help.
>>
>> Cheers
>> Ilja
>>
>>
>>
>> 2014-03-31 9:07 GMT+02:00 Jeremy Hoel <jthoel at ...11827...>:
>>
>> Start with the beginning.. does TCP dump always show the right IP, then
>>> does the u2 files show the right IPs (and in syslog if you have that
>>> output)?  sniff the traffic and see if BY2 is sending the right IP and then
>>> check the db and ensure that it's being stored as the right IP.  I'm
>>> thinking it might have something to do with how the DB is storing the IP,
>>> but that's just a guess.
>>>
>>> if you go through each of these spots it might help narrow down the
>>> problem, and maybe in the end it's a snorby issue and you can bring it up
>>> on that mailing list.. but it's a good idea to check the other bits first.
>>>
>>>
>>> On Mon, Mar 31, 2014 at 2:57 AM, Ilja Schumacher <
>>> ilja.schumacher at ...11827...> wrote:
>>>
>>>>
>>>> Hey fellows,
>>>>
>>>> I have just finished setting up snort barnyard mysql pulledpork and
>>>> snorby in an ARM5 box.
>>>>
>>>> Everything works very nice except that snorby shows totally scrambled
>>>> IPS for source and destination.
>>>>
>>>> Example:
>>>> Real source 82.56.35.23
>>>> Real destination 192.168.1.13
>>>>
>>>> Snorby shows:
>>>> Source 82.56.XX1.13
>>>> Destination 192.168.X35.23
>>>>
>>>> X is 1 most of the time.
>>>>
>>>> Setup is:
>>>> Internet. Firewall/NAT. LanportMirror. Snort.
>>>>
>>>> Do you have a clue what may cause such strange behaviour?
>>>>
>>>> Cheers
>>>> Ilja
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140401/f1fcf4a6/attachment.html>


More information about the Snort-users mailing list