Not collecting Data...it seems

BASE-user
Pete89
2007-12-13
2013-06-03
  • Pete89
    Pete89
    2007-12-13

    Hello,

    This is my first stab at installing SNORT and BASE. I am using a how to I found here:

    http://www.howtoforge.com/intrusion_detection_base_snort

    I am using Debian Etch, Snort 2.0.8.1 and Base 1.3.9.

    I got through it OK but I am not seeing any data on the Base webpage.

    When I run:

    ps aux | grep snort

    I get:

    root 2591 102 14.8 107480 75308 ? Rs 20:17 0:06 /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g root -D

    If I kill the process and do:

    snort -c /etc/snort/snort.conf

    I get a lot but here is what I think looks important:

    +-------------------[Rule Port Counts]---------------------------------------
    | tcp udp icmp ip
    | src 997 39 0 0
    | dst 6214 369 0 0
    | any 474 109 20 7
    | nc 15 4 3 4
    | s+d 16 16 0 0
    +----------------------------------------------------------------------------
    BLAH
    BLAH
    BLAH
    Warning: 'ignore_any_rules' option for Stream5 UDP disabled because of UDP rule with flow or flowbits option
    336 out of 512 flowbits in use.
    ***
    *** interface device lookup found: eth0
    ***

    Initializing Network Interface eth0
    Decoding Ethernet on interface eth0
    database: compiled support for ( mysql )
    database: configured to use mysql
    database: user = pichi
    database: password is set
    database: database name = snort
    database: host = localhost
    database: sensor name = 192.168.1.116
    database: sensor id = 1
    database: schema version = 107
    database: using the "log" facility

    [ Port Based Pattern Matching Memory ]
    +-[AC-BNFA Search Info Summary]------------------------------
    | Instances : 824
    | Patterns : 198901
    | Pattern Chars : 1763291
    | Num States : 1006149
    | Num Match States : 172401
    | Memory : 24.20Mbytes
    | Patterns : 5.47M
    | Match Lists : 6.48M
    | Transitions : 12.18M
    +-------------------------------------------------

    --== Initialization Complete ==--

    Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6
    Preprocessor Object: SF_SSH Version 1.0
    Preprocessor Object: SF_SMTP Version 1.0
    Preprocessor Object: SF_FTPTELNET Version 1.0
    Preprocessor Object: SF_DNS Version 1.0
    Preprocessor Object: SF_DCERPC Version 1.0
    Not Using PCAP_FRAMES

    I ran the setup for BASE with no problems and the site looks totally complete, its just that there is no data being pumped in. One thing I noticed was on the Base_Main.php page theres a part of the page (lower left) where it says:

    Sensors/Total: 0 / 1
    Unique Alerts: 0
    Categories: 0
    Total Number of Alerts: 0

    Isn't supposed to have at least 1 where says Sensors instead of the 0?

    Any help appreciated. I think I am close but still scratching my head and I don't know how to troubleshoot this.

    P.

     
    • joesavage
      joesavage
      2007-12-13

      Sensor numbers are setup in a couple of places.

      First, you will want to specify the interface when Snort is started. You are currently defaulting to eth0. If that's the interface you want to snort, that's OK but I like to make sure. You can run 'ifconfig' to see what interfaces are active. Look at /etc/sysconfig/hwconf to see the ethernet interfaces that you have on your Snort server. You may need to start up the sensor interface.

      Second, if you are using Barnyard, you must specify the sensor number in barnyard.conf.

      Third, look at the snort.sensor table. You should have a row that looks something like this:
      +-----+----------------+-----------+--------+--------+----------+----------+
      | sid | hostname       | interface | filter | detail | encoding | last_cid |
      +-----+----------------+-----------+--------+--------+----------+----------+
      |   1 | snort:eth1     | eth1      | NULL   |      1 |        0 |        0 |
      +-----+----------------+-----------+--------+--------+----------+----------+
      1 rows in set (0.00 sec)

      Note that I've never seen to have this problem when Snort/MySQL/BASE are on the same computer, but when I have remote sensors, I have had to add the appropriate rows to the snort.sensor table.

      Hope this helps,
      Joe

       
      • kryptikET
        kryptikET
        2007-12-14

        I would try 2 things.

        1. run tcpdump on your sensor machine to ensure it is seeing traffic
        command: tcpdump -i eth0
        Note:  if you don't have tcpdump installed, use the following command to install it:
        command: apt-get install tcpdump

        If you are seeing traffic then set up a "dummy" rule to ensure snort is seeing it.
        first check your snort.conf (/etc/snort/snort.conf) to ensure the following is listed and not commented out (#):
        include $RULE_PATH/local.rules

        The add the rule to your local.rules file.
        command: vi /etc/snort/rules/local.rules
        add the following to bottom of the file:
        alert tcp any any -> any any (msg:"Test Rule - (noisemaker)"; classtype:local; sid:9999666; rev:1;)

        Restart Snort
        command: /etc/init.d/snort restart

        Then check BASE to see if alerts are being logged.
        Note: I wouldn't recommend running this rule very long because it basically alerts on any tcp traffic it sees.

         
    • CrackerJack9
      CrackerJack9
      2007-12-13

      There are a few components here, it might be worthwhile to identify which one isn't working.

      Can you change your snort.conf to log to syslog and see if you have any alerts there? If not, and you think you should, it is likely a snort/rules/config/network issue.

      If there are, take a look at the BASE database you're logging to and make sure there are rows in snort.acid_event, snort.data, snort.iphdr, etc.  If there isn't the the connection between snort and the database is broken. If there are, then the BASE webapp isn't picking them up properly.

      Each of these cases has different ways to identify the problem, so it will help to narrow it down first.

      I agree with joesavage too, it's usually best to explicitly configure things.

       
    • Kevin Johnson
      Kevin Johnson
      2007-12-14

      The issue is that Snort has not seen any traffic it would need to alert on.  The 0/1 means that a snort sensor has reported inot the DB but has not recorded any alerts. As long as you only have a single sensor, this would imply that things are working.  My recommendation is to use nessus or openvas and generate traffic Snort should alert on to fully test the setup.

      Thanks
      Kevin

       
    • Pete89
      Pete89
      2007-12-14

      First of all thank you so much for trying to help me. I am very grateful.

      To answer your questions:

      1. Yes I want to use eht0. This box has three nics on it. Eventually I would like to have one interface checking on the LAN and another the DMZ. I suppose this should be no problem, but lets get this one working first.

      2. Here is my sensor table:

      mysql> select * from sensor;
      +-----+---------------+-----------+--------+--------+----------+----------+
      | sid | hostname      | interface | filter | detail | encoding | last_cid |
      +-----+---------------+-----------+--------+--------+----------+----------+
      |   1 | 192.168.1.116 | eth0      | NULL   |      1 |        0 |        0 |
      +-----+---------------+-----------+--------+--------+----------+----------+

      3. Here is some more important info I think:

      mysql> select * from acid_event;
      Empty set (0.00 sec)

      mysql> select * from data;
      Empty set (0.00 sec)

      4. I have used nmap to hit this machine in hopes of generating some evil traffic but no reaction from the SNORT box.

      5. I am not using baryard becuase the how-to I used did not call for it.

      Thanks again,

      Pete
      Granada Spain

       
      • Kevin Johnson
        Kevin Johnson
        2007-12-14

        With most default rule sets enabled, Nmap will not cause alerts.  OpenVAS or Nessus would be better.

        Kevin

         
      • CrackerJack9
        CrackerJack9
        2007-12-15

        Can you check your database logs? Maybe Snort is unable to log in or something else is happening?

         
    • Pete89
      Pete89
      2007-12-14

      Thank you Kevin for your advice but I dont have any openVAS or Nessus service available to check this. When I used the BackTrack CD that sets up BASE right out of the box I always got something back within a few hours. This server has been up for two days now and I dont see any change. Is there not a way to see if the databse is being populated? I am a complete noob to mysql.

      One more piece of the pie:

      mysql> select * from iphdr;
      Empty set (0.00 sec)

      Does empty set mean there is no data? Sorry if we are slipping into mysql problems but I am kinda out here on my own in la-la land.

      Staying brave,

      Pete in Granada Spain

       
    • Pete89
      Pete89
      2007-12-14

      kryptikET,

      Thanks for your mail too!

      1. So I ran (via ssh to remote box):

      tcpdump -i eth0

      And got so much output that I think we can put that doubt to bed.

      2. include $RULE_PATH/local.rules is NOT commented out of /etc/snort/rules/local.rules

      3.I added:

      alert tcp any any -> any any (msg:"Test Rule - (noisemaker)"; classtype:local; sid:9999666; rev:1;)

      to /etc/snort/rules/local.rules. I then killed the SNORT process SNORT and started it again with:

      /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g root -D

      And still nothing in BASE. Its like the hand off from snort to mysql is broken.

      And I now have a doubt because I do not have snort running like you said. I mean, when I do:

      ps aux | grep snort

      I get:

      root      3085  0.0 22.1 144592 112700 ?       Ss   Dec13   0:30 /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g root -D

      and when I try:

      /etc/init.d/snort restart

      I get:

      testbox:~# /etc/init.d/snort restart
      -bash: /etc/init.d/snort: No such file or directory

      Again many thanks to all for helping me,

      Pedro

       
      • Hello Pedro,

        1. the file /etc/init.d/snort that could not be found can be retrieved from

        http://www.snort.org/dl/contrib

        You might have to adjust this file
        according to your computer. This start up file is not vital to snort, but
        for your convenience everybody has
        some sort of start up script.

        2. Poor man's solution to check whether snort can detect anything at all:

        snort -vde -i lo -n 2
        ping -c 1 localhost

        This requires in your snort.conf:

        output alert_syslog: LOG_AUTH LOG_ALERT
        output log_tcpdump: snort.pcap

        and at least the following rules files:

        bad-traffic.rules,
        icmp-info.rules,
        icmp.rules

        After snort has exited check whether
        snort.pcap contains what you would
        expect (rather than any junk):

        tcpdump -n -v -X -r snort.pcap

        3. Is your snort.conf syntactically correct?

        snort -T -c /etc/snort/snort.conf

        4. Is the mysql database "snort" ok in terms of what mysqld expects?

        mysqlcheck --check snort

        5. Does user pichi have basic access
        to mysql (you seem to have configured snort to log in to mysqld as pichi)?

        (use real password rather than XXXXXXX)

        mysql -D snort -u pichi -pXXXXXXX
        mysql> show tables;

        6. Has snort written at least some alerts
        to mysql database, today (= Dec, 15th, 2007)?

        mysql -D snort -u pichi -pXXXXXXX
        mysql> select * from event where timestamp like '%2007-12-15%';

        +-----+---------+-----------+---------------------+-----------+
        | sid | cid     | signature | timestamp           | reference |
        +-----+---------+-----------+---------------------+-----------+
        |   1 | 4014184 |         7 | 2007-12-15 22:56:24 |   4014185 |
        |   1 | 4014182 |         7 | 2007-12-15 22:56:20 |   4014183 |
        |   1 | 4014186 |         7 | 2007-12-15 22:57:03 |   4014187 |

        and so on.

        Bye, bye,

        Juergen

         
    • Pete89
      Pete89
      2007-12-16

      Thanks to everyone who tried to help but I am not getting anywhere with this. The database just seems empty and the user has full access so I don't know what went wrong with the install. Also a big problem is me. There are many components I am not familiar with and so setting up snort is not for a beginner like me. I found a website that looks promising:

      http://www.internetsecurityguru.com/

      It looks like they have How-To´s for many distro´s. The only requisite I have for my install is I have to do this with Debian Etch. If I get it to work I will report back and try to document it as best I can.

      I appreciate the help and I did learn quite a few things from your posts so that was good.

      Hasta luego,

      Pedro en Granada Spain

       
    • Pete89
      Pete89
      2007-12-17

      OK I found a very good document right on the snort site:

      http://www.snort.org/docs/setup_guides/deb-snort-howto.pdf

      Its about a year and a half old but I was able to get everything working with Snort 2.8, Base 1.3.9, the latest rulesets, and Barnyard 0.2.0. It has a section for Oinkmaster as well but I did not try that as this box is still just a test machine.

      So if you want to install the latest Snort and Base packages in Debian this is the best documentation I could find.

      Ciao,

      Pedro