Snort mailing list archives
SNORT/BASE does not fill the BASE Homepage Portscan bar
From: olivier a <oatech7402 () gmail com>
Date: Sun, 1 Dec 2013 19:34:53 +0100
Hi. I know this question has been asked several times on the Internet, but
I couldn’t manage to solve it. After 2 weeks of working around with Snort,
I really wish I could figure this out.
I have two Snort Configs on Debian Wheezy. All packets updated from
repository:
SNORT-mysql --> MYSQL --> Apache --> Base
SNORT –> Barnyard2 –> MYSQL –> Apache --> Base
Network Topology ( The SNORT IDS is on a port Mirror ) :
--(Router2)-----------------------------------------
|-(Router1)----------------PC1
(SNORT IDS)--------------
\__________192.168.1.0/24______________/ \________
192.168.0.0/24_________/
SNORT is Version 2.9.2.2 IPv6 GRE (Build 121) installed from apt-get
repository
Barnyard is Version 2.1.13 (Build 327) compiled from sources
MYSQL and APACHE2 are latest version available from apt-get repository
BASE is the latest available verion ( 1.4.5), downloaded and unzipped from
sources.
The same phenomenom happens for both SNORT configs: If I do a regular
portscan of the 192.168.0.0/24 subnet ( nmap 192.168.0.0/24 ) by PC1, the
BASE interface gets populated with alerts, the portscan.log file registers
some portscans, and the portscan.log file is aknowledged by BASE if I query
a single IP ( unique Destination IP --> choosing an IP --> Portscan ), but
the PORTSCAN bar on the BASE homepage remains desesperatly EMPTY.
I'm not sure how to troubleshoot this. Here are the most important parts of
my snort.conf file ( the rest is left default and unchanged ) :
# Compatible with Snort Versions:
# VERSIONS : 2.9.2.2
....
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
....
# Target-Based stateful inspection/stream reassembly. For more inforation,
see README.stream5
preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no, \
....
# Portscan detection. For more information, see README.sfportscan
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level {
medium } logfile { /var/log/snort/portscan.log }
....
output alert_syslog: LOG_local0 LOG_ALERT
output log_tcpdump: tcpdump.log
output unified2: filename snort.log, limit 128
....
# Note for Debian users: The rules preinstalled in the system
# can be *very* out of date. For more information please read
# the /usr/share/doc/snort-rules-default/README.Debian file
# site specific rules
include $RULE_PATH/local.rules
## Note : Following .rules commenting out left unchanged
--------------------------------------------------------------
The /var/log/snort/portscan.log file gets populated like this :
Time: 12/01-15:31:52.988044
event_ref: 0
192.168.0.100 -> 192.168.1.210 (portscan) TCP Portscan
Priority Count: 13
Connection Count: 15
IP Count: 1
Scanner IP Range: 192.168.0.100:192.168.0.100
Port/Proto Count: 15
Port/Proto Range: 23:8080
Time: 12/01-15:31:54.883603
event_ref: 0
192.168.0.100 -> 192.168.1.240 (portscan) TCP Filtered Portscan
Priority Count: 0
Connection Count: 200
IP Count: 1
Scanner IP Range: 192.168.0.100:192.168.0.100
Port/Proto Count: 199
Port/Proto Range: 21:65000
---------------------------------------------------------------------------------------------
The BASE displayed alerts are these :
Displaying alerts 1-11 of 11 total
< Signature > < Classification > < Total # >
Sensor # < Source Address > < Dest. Address > < First
< Last >
[snort] ICMP Timestamp Request misc-activity 11(0%)
1 1 1 2013-11-29 14:20:04 2013-11-29 14:45:29
[snort] SNMP AgentX/tcp request attempted-recon
22(1%) 1 1 2 2013-11-29 14:20:04 2013-11-29 17:36:16
[snort] SNMP request tcp attempted-recon 22(1%) 1
1 2 2013-11-29 14:20:04 2013-11-29 17:36:17
[snort] ICMP PING undefined code misc-activity 15(0%)
1 1 2 2013-11-29 14:20:15 2013-11-29 17:16:58
[snort] ICMP PING misc-activity 3548(95%) 1 1
2 2013-11-29 14:20:15 2013-11-30 10:37:33
[snort] SCAN nmap XMAS attempted-recon 27(1%) 1
1 2 2013-11-29 14:20:15 2013-11-29 17:16:58
[snort] ICMP PING NMAP attempted-recon 54(1%) 1
1 2 2013-11-29 14:20:42 2013-11-29 17:35:56
[snort] SNMP trap tcp attempted-recon 11(0%) 1
1 2 2013-11-29 14:20:44 2013-11-29 14:53:11
[snort] DDOS mstream client to handler attempted-dos
12(0%) 1 1 2 2013-11-29 14:20:48 2013-11-29 14:54:58
[snort] MISC Source Port 20 to <1024 bad-unknown
1(0%) 1 1 1 2013-11-29 14:21:49 2013-11-29 14:21:49
[snort] ICMP traceroute attempted-recon 1(0%) 1
1 1 2013-11-29 14:58:06 2013-11-29 14:58:06
ACTION
----------------------------------------------------------------------------------------------------------
Finally, If I reset the database, redo the scan, and dump the MySQL
database. This do appear in the MySQL that was not there before the scan :
Dumping data for table `signature`
--
LOCK TABLES `signature` WRITE;
/*!40000 ALTER TABLE `signature` DISABLE KEYS */;
INSERT INTO `signature` VALUES (1,'dnp3: DNP3 Application-Layer Fragment
uses a reserved function code.',0,0,1,6,145),(2,'dnp3: DNP3 Link-Layer
Frame uses a reserved address.',0,0,1,5,145),(3,'dnp3: DNP3 Reassembly
Buffer was cleared without reassembling a complete
message.',0,0,1,4,145),(4,'dnp3: DNP3 Transport-Layer Segment was dropped
during reassembly.',0,0,1,3,145),
....
....
(176,'frag3: Fragment packet ends after defragmented
packet',0,0,1,4,123),(177,'frag3: Short fragment, possible DoS
attempt',0,0,1,3,123),(178,'frag3: Teardrop
attack',0,0,1,2,123),(179,'frag3: IP Options on fragmented
packet',0,0,1,1,123),(180,'portscan: Open
Port',0,0,1,27,122),(181,'portscan: ICMP Filtered
Sweep',0,0,1,26,122),(182,'portscan: ICMP
Sweep',0,0,1,25,122),(183,'portscan: UDP Filtered Distributed
Portscan',0,0,1,24,122),(184,'portscan: UDP Filtered
Portsweep',0,0,1,23,122),(185,'portscan: UDP Filtered Decoy
Portscan',0,0,1,22,122),(186,'portscan: UDP Filtered
Portscan',0,0,1,21,122),(187,'portscan: UDP Distributed
Portscan',0,0,1,20,122),(188,'portscan: UDP
Portsweep',0,0,1,19,122),(189,'portscan: UDP Decoy
Portscan',0,0,1,18,122),(190,'portscan: UDP
Portscan',0,0,1,17,122),(191,'portscan: IP Filtered Distributed Protocol
Scan',0,0,1,16,122),(192,'portscan: IP Filtered Protocol
Sweep',0,0,1,15,122),(193,'portscan: IP Filtered Decoy Protocol
Scan',0,0,1,14,122),(194,'portscan: IP Filtered Protocol
Scan',0,0,1,13,122),(195,'portscan: IP Distributed Protocol
Scan',0,0,1,12,122),(196,'portscan: IP Protocol
Sweep',0,0,1,11,122),(197,'portscan: IP Decoy Protocol
Scan',0,0,1,10,122),(198,'portscan: IP Protocol
Scan',0,0,1,9,122),(199,'portscan: TCP Filtered Distributed
Portscan',0,0,1,8,122),(200,'portscan: TCP Filtered
Portsweep',0,0,1,7,122),(201,'portscan: TCP Filtered Decoy
Portscan',0,0,1,6,122),(202,'portscan: TCP Filtered
Portscan',0,0,1,5,122),(203,'portscan: TCP Distributed
Portscan',0,0,1,4,122),(204,'portscan: TCP
Portsweep',0,0,1,3,122),(205,'portscan: TCP Decoy
Portscan',0,0,1,2,122),(206,'portscan: TCP
Portscan',0,0,1,1,122),(207,'flow-portscan: Sliding Scale Talker Limit
Exceeded',0,0,1,4,121),(208,'flow-portscan: Fixed Scale Talker Limit
Exceeded',0,0,1,3,121),(209,'flow-portscan: Sliding Scale Scanner Limit
Exceeded',0,0,1,2,121),(210,'flow-portscan: Fixed Scale Scanner Limit
Exceeded',0,0,1,1,121),(211,'http_inspect: MULTIPLE ENCODINGS WITHIN
JAVASCRIPT OBFUSCATED DATA',0,0,1,11,120)
....
....
Does it mean that the Portscan does get detected by the sfportscan
preprocessor and sent onto the MySQL database ?
I did notice the the etc/snort/rules/portscan.rules have most rules not
tagged with a portscan label, but rules and preprocessor are distinct
things right ?
Finally, what puzzles me is these parts of my snort -T output :
Loading all dynamic preprocessor libs from
/usr/lib/snort_dynamicpreprocessor/...
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
Finished Loading all dynamic preprocessor libs from
/usr/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inline.
.....
.....
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan
distributed_portscan
Sensitivity Level: Medium
Memcap (in bytes): 10000000
Number of Nodes: 19569
Logfile: /var/log/snort/portscan.log
FTPTelnet Config:
....
....
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.15 <Build 18>
Preprocessor Object: SF_DNP3 (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_SSH (IPV6) Version 1.1 <Build 3>
Preprocessor Object: SF_POP (IPV6) Version 1.0 <Build 1>
Preprocessor Object: SF_DNS (IPV6) Version 1.1 <Build 4>
Preprocessor Object: SF_FTPTELNET (IPV6) Version 1.2 <Build 13>
Preprocessor Object: SF_SDF (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_SIP (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_GTP (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_REPUTATION (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_DCERPC2 (IPV6) Version 1.0 <Build 3>
Preprocessor Object: SF_SSLPP (IPV6) Version 1.1 <Build 4>
Preprocessor Object: SF_MODBUS (IPV6) Version 1.1 <Build 1>
Preprocessor Object: SF_IMAP (IPV6) Version 1.0 <Build 1>
Preprocessor Object: SF_SMTP (IPV6) Version 1.1 <Build 9>
Snort successfully validated the configuration!
How comes the sfportmap is not listed in the beginning and closing parts ?
I hope I'll manage to figure out how to have this 'Portscan' BAR able to
fill-up with ruby red ^^
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SNORT/BASE does not fill the BASE Homepage Portscan bar olivier a (Dec 01)