Re: Snort + sfPortscan + Barnyard2

[Antonio Piepoli <piepoli.antonio () gmail com>]

Thank you,

I've already read that part of documentation and I'm glad to see that 
I'm not the only one who thinks it is a bit obscure :) .

Hope someone can help.

Antonio

Il 11/03/2014 17:24, Maxwell, Jamison [HDS] ha scritto:
> Yes, Barnyard2 only processes unified2 format files, but you should be 
> able to change  the output to unified in snort.conf.  I'm not sure 
> quite how though, as I've never really monkeyed to much with separate 
> preprocessor logs, but it looks like there's some info about it 
> starting on line 213 in doc/README.sfportscan.
>
> /(unified)/
>
> //
>
> /In order to get all the portscan information logged with the alert, 
> snort/
>
> /generates a pseudo-packet and uses the payload portion to store the 
> additional/
>
> /portscan information of priority count, connection count, IP count, 
> port count,/
>
> /IP range, and port range.  The characteristics of the packet are:/
>
> //
>
> /Src/Dst MAC Addr == MACDAD/
>
> /IP Protocol == 255/
>
> /IP TTL == 0/
>
> //
>
> /Other than that, the packet looks like the IP portion of the packet 
> that caused/
>
> /the portscan alert to be generated.  This includes any IP options, 
> etc.  The/
>
> /payload and payload size of the packet is equal to the length of the 
> additional/
>
> /portscan information that is logged.  The size tends to be around 100 
> - 200/
>
> /bytes./
>
> //
>
> /Open port alerts differ from the other portscan alerts, because open 
> port alerts/
>
> /utilize the tagged packet output system.  This means that if an 
> output system/
>
> /that doesn't print tagged packets is used, then the user won't see 
> open port/
>
> /alerts. The open port information is stored in the IP payload and/
>
> /contains the port that is open./
>
> //
>
> /The sfPortscan alert output was designed to work with unified packet 
> logging, so/
>
> /it is possible to extend favorite snort GUIs to display portscan 
> alerts and the/
>
> /additional information in the IP payload using the above packet 
> characteristics./
>
> Though, I'm don't think this information is very clear.  Also, you're 
> specifying merged.log in your -f option, which is processing 
> /var/log/snort/merged.log, not portscan.log, but it would need to be 
> unified anyway.
>
> Jamison Maxwell
>
> *From:*Antonio Piepoli [mailto:piepoli.antonio () gmail com]
> *Sent:* Tuesday, March 11, 2014 12:12 PM
> *To:* Maxwell, Jamison [HDS]; snort-users () lists sourceforge net
> *Subject:* Re: Snort + sfPortscan + Barnyard2
>
> First of all thank you for the assistance,
>
> I'm running barnyard with this command:
>
> //usr/local/bin/barnyard2 -c /usr/local/etc/barnyard2.conf -d 
> /var/log/snort -f merged.log -D/
>
> In the config file of barnyard it's written nowhere to process 
> portscan.log (I knew it was trivial).
>
> Actually I think I'm missing something. The file portscan.log is 
> written in cleartext while merged.log is unified2, is it not mandatory 
> for barnyard to read files in unified2 file format? Does snort have to 
> update /merged.log /to include//sfportscan's alerts?
>
>
> Thanks,
> Antonio
>
> Il 11/03/2014 16:55, Maxwell, Jamison [HDS] ha scritto:
>
>     The first thing I would do is ensure that portscan.log is being processed by barnyard2.  You should see this in 
> /var/log/messages, but you can also turn on mysql logging and watch the INSERT queries.  In my configuration, on RHEL, 
> the config file you specify the lag to parse is /etc/sysconfig/barnyard2.
>
>       
>
>       
>
>       
>
>       
>
>     Jamison Maxwell
>
>     Sr. Systems Administrator
>
>       
>
>     -----Original Message-----
>
>     From:snort-users-request () lists sourceforge net  <mailto:snort-users-request () lists sourceforge net>  
> [mailto:snort-users-request () lists sourceforge net]
>
>     Sent: Tuesday, March 11, 2014 10:34 AM
>
>     To:snort-users () lists sourceforge net  <mailto:snort-users () lists sourceforge net>
>
>     Subject: Snort-users Digest, Vol 94, Issue 24
>
>       
>
>     Send Snort-users mailing list submissions to
>
>        snort-users () lists sourceforge net  <mailto:snort-users () lists sourceforge net>
>
>       
>
>     To subscribe or unsubscribe via the World Wide Web, visit
>
>        https://lists.sourceforge.net/lists/listinfo/snort-users
>
>     or, via email, send a message with subject or body 'help' to
>
>        snort-users-request () lists sourceforge net  <mailto:snort-users-request () lists sourceforge net>
>
>       
>
>     You can reach the person managing the list at
>
>        snort-users-owner () lists sourceforge net  <mailto:snort-users-owner () lists sourceforge net>
>
>       
>
>     When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..."

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!