I have generated port scan traffic with nmap and see port scans in the portscan.log file... However, the base console stays at 0%. I am seeing other traffic fine.... Any ideas on whats causing this?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What version of Snort are you running? You should be using the sfportscan preprocessor (which will log to database.) There is no need for the portscan.log file anymore. Plus, I don't think it worked in the first place.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2009-05-06
I have the same problem but my configuration of sfportscan preprocessor looks like this:
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { high } \
logfile { portscan.log }
portscan.log is populated but nothing is showed in base. I'm running snort 2.8.4.1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
please upgrade to BASE-1.4.2 in any case, because
in several of the previous versions the preprocessor alerts
were not imported into the BASE specific table "acid_event", if
they did not start with a "spp_" prefix. And right this should
be fixed in BASE-1.4.2. And if not, well, then I'd like to know...
Bye, bye
Juergen
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
Even if scanning the Snort host using nmap, I don't have Portscan traffic showed in Base (it's always 0%); other alerts, even from different remote sensors, are correctly showed.
Reading this thread, if I don't get wrong, it should be the right configuration to have Snort using the sfportscan preprocessor and Base analysing portscans from the (MySql) DB.
How can I troubleshoot this?
Thank you for any help.
Edoardo
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2009-07-28
I have the same problem, and all people i think. Some months ago i'd investigating about portscan not showing in base and read that base still not shows portscans in base, only in portscan.log. Talking about february-march or so.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Juergen,
on 07/05/2009 you wrote:
"And right this should
be fixed in BASE-1.4.2. And if not, well, then I'd like to know... "
Is it a known bug or is there a fix we could apply to solve this serious issue?
Thank you for your help.
Edoardo
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This type of query does NOT make use of the sfportscan file. It queries the database as usual. If there are only 0 alerts, then this may have different reasons:
a) There is really not a single portscan alert in the database.
b) BASE versions older than 1.4.2 are being used. Several releases before 1.4.2 had a bug where all those preprocessor alerts that did NOT start with the prefix "spp_" were not being copied to acid_event and therefore not visible by BASE. Easy remedy: Upgrade to the latest BASE version available on this web site here.
c) The bug with the prefix problem ("spp_") is unexpectedly not fixed, yet. Well, it should be fixed, but who knows. In any case: From BASE version 1.4.2 on there will be triggered an ERROR message for any alert, that has been added to the event table, but has not been added likewise to the acid_event table. As it has indeed happened here:
But it is NOT possible, that BASE does not copy an alert WITHOUT such an error message.
d) There is a problem with the snort configuration or with the way the snort sfportscan preprocessor works. Well, this has nothing to do with BASE.
However, if you want to debug this, I would recommend you enable also the syslog output plugin in snort.conf, in order to make sure, that a portscan has really be detected and qualified as such by snort. It could very well be, that your tricky nmap scan has not been recognized by snort. Who knows.
If there is nothing in the syslog, then there will also be nothing in the database and BASE will consequently report 0 portscan events.
If there is a portscan alert in the syslog, then try and find it in the database manually. If you cannot find it, then the tool used for writing to the database instead of snort itself, could be the culprit. And if you can find it, then BASE should display such an alert.
2. Later on, when you are about to query a particular IP address, you could click at "Portscan Events": The typical URL looks like this one
This is where sfportscan.log comes into place. Now, using this file is difficult, because a properly configured web server is usually not allowed to make arbitrary lookups anywhere in the filesystem.
Even if you configure your web server to follow symbolic links to files beyond the DocumentRoot you might encounter severe permission problems. Which should trigger error messages on the BASE screen.
So simply setting $portscan_file = '/var/log/snort/sfportscan.log'; will certainly NOT work.
However, when you have written:
vim base_conf.php
$portscan_file = 'sfportscan.log';
then you can work with a symbolic link:
cd /usr/share/base-1.4.4/
ln -s /var/log/snort/sfportscan.log ./sfportscan.log
chmod a+r /var/log/snort/sfportscan.log
And for SELinux user:
chcon -t httpd_sys_content_t ./sfportscan.log
Of course, this second query situation should work in the same way as the first one, i.e. without relying on sfportscan.log. This can certainly be changed, eventually.
Bye, bye
Juergen
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
No portscans are logged to the acid_event table, so as you wrote the home page of BASE shows "Portscan Traffic (0%)" (as it queries DB for portscans).
If instead I set in snort.conf
preprocessor sfportscan: proto { all } \
scan_type { all } \
memcap { 10000000 } \
sense_level { high } \
logfile { portscan.log }
restart snort service and in base_conf.php I set
$portscan_file = 'MYPATH\Snort\log\portscan.log';
as you wrote I can query a particular scanned ip address and, filtering by "Portscan Events", I can see portscans (as they are pulled from the portscan.log file).
Is this the same issue of other Snort for Windows users like me?
Any help appreciated.
Edoardo
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have the following entry set in my base_conf.php file:
/* Snort spp_portscan log file */
$portscan_file = 'd:\win-ids\snort\log\portscan.log';
I have generated port scan traffic with nmap and see port scans in the portscan.log file... However, the base console stays at 0%. I am seeing other traffic fine.... Any ideas on whats causing this?
What version of Snort are you running? You should be using the sfportscan preprocessor (which will log to database.) There is no need for the portscan.log file anymore. Plus, I don't think it worked in the first place.
I have the same problem but my configuration of sfportscan preprocessor looks like this:
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { high } \
logfile { portscan.log }
portscan.log is populated but nothing is showed in base. I'm running snort 2.8.4.1
I am using Snort version 2.8.3.2
The snort.conf is set as follows:
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low } \
logfile { portscan.log }
I have tried it without the logfile option and BASE still shows nothing.
Step one, upgrade to Snort 2.8.4.1
Step two, try this:
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
and log to db.
I have updated to Snort 2.8.4.1... I ran another nmap scan and still 0% in base for Portscan Traffic.
I have updated to Snort 2.8.4.1... I ran another nmap scan and still 0% in base for Portscan Traffic.
Hello Trey,
please upgrade to BASE-1.4.2 in any case, because
in several of the previous versions the preprocessor alerts
were not imported into the BASE specific table "acid_event", if
they did not start with a "spp_" prefix. And right this should
be fixed in BASE-1.4.2. And if not, well, then I'd like to know...
Bye, bye
Juergen
Hi,
I run Snort for Windows ver. 2.8.4.1 and BASE ver. 1.4.2 (WinSnort 15.06.2009 Pack). My base_conf.php is configured as follows:
/* Snort spp_portscan log file */
/* $portscan_file = 'd:\win-ids\snort\log\portscan.log'; */
My snort.conf is configured as follows:
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
Even if scanning the Snort host using nmap, I don't have Portscan traffic showed in Base (it's always 0%); other alerts, even from different remote sensors, are correctly showed.
Reading this thread, if I don't get wrong, it should be the right configuration to have Snort using the sfportscan preprocessor and Base analysing portscans from the (MySql) DB.
How can I troubleshoot this?
Thank you for any help.
Edoardo
Sorry, in my previous post I made a mistake: I run BASE 1.4.3.1.
Any help appreciated.
Hi, is anyone else having the same issue?
I have the same problem, and all people i think. Some months ago i'd investigating about portscan not showing in base and read that base still not shows portscans in base, only in portscan.log. Talking about february-march or so.
Juergen,
on 07/05/2009 you wrote:
"And right this should
be fixed in BASE-1.4.2. And if not, well, then I'd like to know... "
Is it a known bug or is there a fix we could apply to solve this serious issue?
Thank you for your help.
Edoardo
Hello,
several completely different problems seem to come together here. Therefore some general notes:
There are two situations where portscan related queries are triggered:
1. On the main page, which could be called start page, there is a link "Portscan Traffic":
The underlying URL looks like:
http://.../base/base_qry_main.php?new=1&layer4=RawIP&num_result_rows=-1&sort_order=time_d&submit=Query+DB
This type of query does NOT make use of the sfportscan file. It queries the database as usual. If there are only 0 alerts, then this may have different reasons:
a) There is really not a single portscan alert in the database.
b) BASE versions older than 1.4.2 are being used. Several releases before 1.4.2 had a bug where all those preprocessor alerts that did NOT start with the prefix "spp_" were not being copied to acid_event and therefore not visible by BASE. Easy remedy: Upgrade to the latest BASE version available on this web site here.
c) The bug with the prefix problem ("spp_") is unexpectedly not fixed, yet. Well, it should be fixed, but who knows. In any case: From BASE version 1.4.2 on there will be triggered an ERROR message for any alert, that has been added to the event table, but has not been added likewise to the acid_event table. As it has indeed happened here:
https://sourceforge.net/tracker/?func=detail&aid=2818951&group_id=103348&atid=635582
But it is NOT possible, that BASE does not copy an alert WITHOUT such an error message.
d) There is a problem with the snort configuration or with the way the snort sfportscan preprocessor works. Well, this has nothing to do with BASE.
However, if you want to debug this, I would recommend you enable also the syslog output plugin in snort.conf, in order to make sure, that a portscan has really be detected and qualified as such by snort. It could very well be, that your tricky nmap scan has not been recognized by snort. Who knows.
If there is nothing in the syslog, then there will also be nothing in the database and BASE will consequently report 0 portscan events.
If there is a portscan alert in the syslog, then try and find it in the database manually. If you cannot find it, then the tool used for writing to the database instead of snort itself, could be the culprit. And if you can find it, then BASE should display such an alert.
2. Later on, when you are about to query a particular IP address, you could click at "Portscan Events": The typical URL looks like this one
http://.../base/base_stat_ipaddr.php?ip=1.2.3.4&netmask=32&action=portscan
This is where sfportscan.log comes into place. Now, using this file is difficult, because a properly configured web server is usually not allowed to make arbitrary lookups anywhere in the filesystem.
Even if you configure your web server to follow symbolic links to files beyond the DocumentRoot you might encounter severe permission problems. Which should trigger error messages on the BASE screen.
So simply setting $portscan_file = '/var/log/snort/sfportscan.log'; will certainly NOT work.
However, when you have written:
vim base_conf.php
$portscan_file = 'sfportscan.log';
then you can work with a symbolic link:
cd /usr/share/base-1.4.4/
ln -s /var/log/snort/sfportscan.log ./sfportscan.log
chmod a+r /var/log/snort/sfportscan.log
And for SELinux user:
chcon -t httpd_sys_content_t ./sfportscan.log
Of course, this second query situation should work in the same way as the first one, i.e. without relying on sfportscan.log. This can certainly be changed, eventually.
Bye, bye
Juergen
Hi Juergen,
thank you for your help.
I think it's a Snort for Windows ver. 2.8.4.1 issue: portscan alerts aren't sent to the DB.
In snort.conf I have
preprocessor sfportscan: proto { all } \
scan_type { all } \
memcap { 10000000 } \
sense_level { high }
output database: log, mysql, user=MYUSER password=MYPASSWORD dbname=MYDB host=localhost sensor_name=MYSENSORNAME
output database: alert, mysql, user=MYUSER password=MYPASSWORD dbname=MYDB host=localhost sensor_name=MYSENSORNAME
and in base_conf.php I have
$portscan_file = '';
No portscans are logged to the acid_event table, so as you wrote the home page of BASE shows "Portscan Traffic (0%)" (as it queries DB for portscans).
If instead I set in snort.conf
preprocessor sfportscan: proto { all } \
scan_type { all } \
memcap { 10000000 } \
sense_level { high } \
logfile { portscan.log }
restart snort service and in base_conf.php I set
$portscan_file = 'MYPATH\Snort\log\portscan.log';
as you wrote I can query a particular scanned ip address and, filtering by "Portscan Events", I can see portscans (as they are pulled from the portscan.log file).
Is this the same issue of other Snort for Windows users like me?
Any help appreciated.
Edoardo
It seems that Snort 2.8.5 for Windows has the same bug: portscans are not sent to the DB.
Updating also snort.conf to the 2.8.5 version, now Snort for Win logs portscans to DB.
I was previously using the snort.conf included in VRT certified rules (reg. users - 2.8.4 ver.)