BASE unable to read content of portscan.log

BASE-user
2008-05-11
2013-06-03
  • Boris Sondagh
    Boris Sondagh
    2008-05-11

    Hi, when I point BASE to my preprocessor sfportscan logfile I get no portscans in BASE eventhough I have a filled portscan.log:

    Time: 05/10-21:46:03.059741
    event_ref: 0
    192.168.233.131 -> 192.168.233.130 (portscan) TCP Portscan
    Priority Count: 7
    Connection Count: 10
    IP Count: 1
    Scanner IP Range: 192.168.233.131:192.168.233.131
    Port/Proto Count: 10
    Port/Proto Range: 21:836

    When I look at base_stat_ipaddr.php and I click portscan a error apears for every line in portscan.log:

    Warning: ereg() [function.ereg]: REG_EMPTY in D:\wwwroot\base\base_stat_ipaddr.php on line 88

    So if portscan.log has 11 lines, I get 11 error's.
    When I delete portscan.log, I get:

    Warning: fopen(D:\Snort\log\portscan.log) [function.fopen]: failed to open stream: No such file or directory in D:\wwwroot\base\base_stat_ipaddr.php on line 65

    When I edit line 88 from:
    if(ereg($ip, $contents)) {
    to
    if(ereg("192.168.233.130", $contents)) {

    I get some content, which seems a good start.
    A little stuck now.
    It is reading the content, but it's unable to process it???

    Help is appreciated

     
    • Hello Boris,

      would you please try the CVS version of BASE?  This is the version that can be found under the directory base-php4.

      If you haven't installed CVS, you need only the cvs client package, not also the server package.

      Further details can be found at

      https://sourceforge.net/cvs/?group_id=103348

      Bye, bye

      Juergen

       
    • Boris Sondagh
      Boris Sondagh
      2008-05-11

      Hi Juergen,

      Thanks for the effort.
      I'm still working out the CVS client, but I got the updated version of your base_stat_ipaddr.php from the webinterface.
      Now I get a new error:

      $ip has been defined, but it is empty. Returning.

      And the BASE opening page still does not mention any portscans.
      Bye,

      Boris

       
      • Hi Boris,

        could you please update from CVS once again?

        I have added some more debug messages. I need to know, where $ip gets lost. Therefore a backtrace should show up as a result of this error.

        Can you tell me exactly which steps you take, i.e. at what links do you click, when you try and get portscan results?

        It would be easier for me, if I could reproduce your error. Remote debugging is always difficult.

        This problem might take some more measures, until it gets solved. So don't expect too much.

        BTW: You are sure you have cookies enabled, right?

        Bye, bye

        Juergen

         
    • Boris Sondagh
      Boris Sondagh
      2008-05-11

      Hi,

      Done the update, new messages:
      D:\wwwroot\base\base_stat_ipaddr.php:63: $ip has been defined, but it is empty. Ignoring.
      D:\wwwroot\base\base_stat_ipaddr.php:99: $ip has been defined, but it is empty. Returning.

      Details:
      Running W2k3
      IIS 6
      PHP 5.2.5.5
      MySQL 5
      (all users have full controll of portscan.log)

      snort.conf:
      preprocessor sfportscan: \             proto  { all } \             scan_type { all } \                           memcap { 100000000 } \             logfile { portscan.log } \                         sense_level { high }

      From my Linux setup I run a:
      nmap -v -A snortip

      portscan.log gets filled with:
      Time: 05/10-21:46:03.059741
      event_ref: 0
      192.168.233.131 -> 192.168.233.130 (portscan) TCP Portscan
      Priority Count: 7
      Connection Count: 10
      IP Count: 1
      Scanner IP Range: 192.168.233.131:192.168.233.131
      Port/Proto Count: 10
      Port/Proto Range: 21:836

      I open BASE, all other scan's, dos attacks, and so on show up, but the portscan show's:
      Portscan Traffic (0%)

      I navigate to http://192.168.233.130/base/base_stat_ipaddr.php  1 error:
      D:\wwwroot\base\base_stat_ipaddr.php:63: $ip has been defined, but it is empty. Ignoring.

      I click Portscan Events, (goto http://192.168.233.130/base/base_stat_ipaddr.php?ip=&netmask=&action=portscan\) and get 2 error's:
      D:\wwwroot\base\base_stat_ipaddr.php:63: $ip has been defined, but it is empty. Ignoring.
      D:\wwwroot\base\base_stat_ipaddr.php:99: $ip has been defined, but it is empty. Returning.

      I forgot to mention I also get an error on each page:
      Error in my_thread_global_end(): 1 threads didn't exit

      I was told that this error can be ignored a it will be fixed in the upcomming MySQL release when there will be a new libmysql.dll

      And yes I do have cookies enabled.
      I tried opening BASE with different browsers and from different machines, all the same.

      Still appreciative of the help!
      Thanx,

      Boris

       
      • Hi Boris,

        many thanks for your detailed response.

        Your snort.conf and your sfportscan.log entry look valid to me.

        If the base_stat_ipaddr.php file does not get called with something appended like

                     "?ip=1.2.3.4..."

        then the error messages will be triggered and nothing is shown.  So far this is expected behavior.

        So the actual question is, why BASE thinks that there are 0 portscan entries.  This depends on the following mysql query:

        mysql> SELECT count(*) FROM acid_event WHERE ip_proto=255;

        Could you try this manually?

        If the result is

        +----------+
        | count(*) |
        +----------+
        |        0 |
        +----------+
        1 row in set (0.00 sec)

        then the question is why there are no entries in table acid_event with ip_proto=255.

        In this case could you query manually

        mysql> SELECT count(*) FROM iphdr WHERE ip_proto=255;

        If the result of this is again 0, then I would say the problem is not caused by BASE.

        If the result were > 0, then the problem would be either in BASE or in your mysqld.

        Bye, bye

        Juergen

         
    • Boris Sondagh
      Boris Sondagh
      2008-05-12

      Hi Juergen,

      The SQL query results are:
      mysql> SELECT count(*) FROM acid_event WHERE ip_proto=255;
      +----------+
      | count(*) |
      +----------+
      |        0 |
      +----------+
      1 row in set (0.00 sec)

      mysql> SELECT count(*) FROM iphdr WHERE ip_proto=255;
      +----------+
      | count(*) |
      +----------+
      |        0 |
      +----------+
      1 row in set (0.00 sec)

      The results for all protocols are:
      mysql> SELECT count(*) FROM acid_event;
      +----------+
      | count(*) |
      +----------+
      |       15 |
      +----------+
      1 row in set (0.00 sec)

      mysql> SELECT count(*) FROM iphdr;
      +----------+
      | count(*) |
      +----------+
      |       15 |
      +----------+
      1 row in set (0.00 sec)

      All still with the same portscan.log
      I entered the,?ip=x.x.x.x, IP manualy to the URL (http://192.168.233.130/base/base_stat_ipaddr.php?ip=192.168.233.130&netmask=&action=portscan)then I get a semi-proper result:
      Date/Time                              Type               Details
      192.168.233.131 -> 192.168.233.130    TCP Portscan    

      Priority Count: 6
      Connection Count: 9
      IP Count: 2
      Scanner IP Range: 192.168.233.1:192.168.233.131
      Port/Proto Count: 10
      Port/Proto Range: 21:636

      Total Hosts Scanned     1    

      Only thing is, in the date/time field it displays the ip adress....

      So I guess that one of the problems here is that the mechanism that writes to the iphdr & acid_event tables is not working fully (or I haven't configured it properly?
      If the problem isn't BASE related I would realy appreciate you pointing me in the right direction...
      Thanks again,

      Boris

       
      • Hi Boris,

        the iphdr table is not filled by BASE.  BASE takes it as datum what it can find in the iphdr (among others) and transfers it into the acid_event table.  Only the acid_event table is a BASE specific table, as opposed to the iphdr table.

        So the problem lies anywhere else.  In your case it may very well have something to do with the thread error you mentioned, but I am not sure about this.

        It is either mysqld or snort or any external program like barnyard, flop or mudpit (which do the database filling instead of snort), that is causing the error.

        In any case I would try and update both mysqld and snort to the most recent versions and see whether the problem persists.

        Another possibility would be trying mysqld on a linux box instead of the windows computer.

        Bye, bye

        Juergen

         
    • Boris Sondagh
      Boris Sondagh
      2008-05-13

      Ok thanks for all your help Juergen.
      I will try if I have any luck with the Snort forum.

      I placed back the original base_stat_ipaddr.php wich displays the portscan information incorrectly.
      So your version should go into the next BASE release.
      The date field still gets filled with an IP though.
      Thanks again,

      Boris