LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Snort not detecting 3306 traffic, but tcpdump on port 3306 DOES show traffic (https://www.linuxquestions.org/questions/linux-newbie-8/snort-not-detecting-3306-traffic-but-tcpdump-on-port-3306-does-show-traffic-4175701888/)

adrian-jaramillo 10-12-2021 11:32 AM
Snort not detecting 3306 traffic, but tcpdump on port 3306 DOES show traffic
 
My scenario is:
  • Server with Snort, mariadb, etc
  • Attacker (client)

I'm connected to the DB from the attacker, and whenever I execute regular SQL commands while in the server this tcpdump command is running...

Code:
sudo tcpdump -i eth1 port 3306

This is the output...

Code:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:15:50.075293 IP 10.0.0.11.49318 > 10.0.0.10.mysql: Flags [P.], seq 1887652760:1887652779, ack 4258656510, win 1002, options [nop,nop,TS val 3289466069 ecr 3780598465], length 19
18:15:50.075402 IP 10.0.0.10.mysql > 10.0.0.11.49318: Flags [.], ack 19, win 1016, options [nop,nop,TS val 3782532237 ecr 3289466069], length 0
18:15:50.146780 IP 10.0.0.10.mysql > 10.0.0.11.49318: Flags [P.], seq 1:160, ack 19, win 1016, options [nop,nop,TS val 3782532308 ecr 3289466069], length 159
18:15:50.147255 IP 10.0.0.11.49318 > 10.0.0.10.mysql: Flags [.], ack 160, win 1002, options [nop,nop,TS val 3289466141 ecr 3782532308], length 0
In case you wonder, I executed a regular
Code:
show databases;
command without problems, I got the results.

Ok so with that being said, we know the connection is working and traffic is being seen.

Here you have a netstat output to be even more sure:
Code:
vagrant@servidor:/etc/snort$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name   
tcp        0      0 0.0.0.0:514            0.0.0.0:*              LISTEN      -                 
tcp        0      0 0.0.0.0:3306            0.0.0.0:*              LISTEN      -                 
tcp        0      0 127.0.0.1:587          0.0.0.0:*              LISTEN      -                 
tcp        0      0 0.0.0.0:22              0.0.0.0:*              LISTEN      -                 
tcp        0      0 127.0.0.1:25            0.0.0.0:*              LISTEN      -                 
tcp6      0      0 :::514                  :::*                    LISTEN      -                 
tcp6      0      0 :::80                  :::*                    LISTEN      -                 
tcp6      0      0 :::21                  :::*                    LISTEN      -                 
tcp6      0      0 :::22                  :::*                    LISTEN      -                 
udp        0      0 0.0.0.0:68              0.0.0.0:*                          -                 
udp        0      0 10.0.0.10:123          0.0.0.0:*                          -                 
udp        0      0 192.168.121.37:123      0.0.0.0:*                          -                 
udp        0      0 127.0.0.1:123          0.0.0.0:*                          -                 
udp        0      0 0.0.0.0:123            0.0.0.0:*                          -                 
udp6      0      0 fe80::5054:ff:fe47::123 :::*                                -                 
udp6      0      0 fe80::5054:ff:fedd::123 :::*                                -                 
udp6      0      0 ::1:123                :::*                                -                 
udp6      0      0 :::123                  :::*                                -
Next step, run Snort with a generic rule for detecting 3306 traffic. This is going to be the rule I will run:
Code:
alert tcp any any -> $HOME_NET 3306 (msg:"mariadb traffic"; sid:29900)
I run Snort like this:
Code:
sudo snort -A console -q -i eth1 -c /etc/snort/snort.conf
From my attacker I'm running SQL commands, connecting and disconnecting, but nothing seems to generate alerts.

In case you need it, here you have my interfaces information:
Code:
vagrant@servidor:/etc/snort$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
      valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:dd:10:a9 brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    altname ens5
    inet 192.168.121.37/24 brd 192.168.121.255 scope global dynamic eth0
      valid_lft 2120sec preferred_lft 2120sec
    inet6 fe80::5054:ff:fedd:10a9/64 scope link
      valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:47:ff:e4 brd ff:ff:ff:ff:ff:ff
    altname enp0s6
    altname ens6
    inet 10.0.0.10/24 brd 10.0.0.255 scope global eth1
      valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe47:ffe4/64 scope link
      valid_lft forever preferred_lft forever
I've been stuck on this problem for several days and ran out of ideas. Any help is appreciated, since Snort should be detecting 3306 traffic but it isn't.

PS: other Snort rules I have are working properly, I only have issues when it comes to the 3306 port and with Snort specifically.

smallpond 10-13-2021 09:13 AM
Where is your attacker running? If on the same system, then it goes through lo, not eth1.

adrian-jaramillo 10-13-2021 05:05 PM
Quote:
Originally Posted by smallpond (Post 6291645)
Where is your attacker running? If on the same system, then it goes through lo, not eth1.
That's not the issue, since the attacker is another virtual machine.
They are separate VMs and they have a direct connection between each of them, a private veryisolated network with libvirt and Vagrant to be specific.

I've already tested in the post that there are no connection problems since tcpdump shows output and all of my other Snort rules I've been trying work. This is why I find the problem utterly strange.

Guttorm 10-14-2021 06:41 AM
Hi

I'm no expert on snort, but I've tried it. There are rules about mysql and 3306 in the default config. It could be some conflicting settings. Maybe look at these?
Code:
sudo grep -r 3306 /etc/snort/
sudo grep -r mysql /etc/snort/

computersavvy 10-14-2021 12:40 PM
I am using fedora, and the snort config path is different, but I have a file by default for mysql/mariadb

Code:
<prompt># cat /etc/fwsnort/snort_rules/mysql.rules
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id$
#----------
# MYSQL RULES
#----------
#
# These signatures detect unusual and potentially malicious mysql traffic.
#
# These signatures are not enabled by default as they may generate false
# positive alarms on networks that do mysql development.
#

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; distance:3; within:1; content:"root|00|"; nocase; distance:5; within:5; classtype:protocol-command-decode; sid:3456; rev:1;)
I do not run a mariadb database, nor snort since this is a home machine, but the default config when activated should work.

adrian-jaramillo 10-15-2021 06:01 AM
Quote:
Originally Posted by Guttorm (Post 6291894)
Hi
There are rules about mysql and 3306 in the default config. It could be some conflicting settings.
In my scenario that shouldn't be an issue, since I removed all the default rules and left the config with only my local.rules.

This is how my rules configuration looks like in snort.conf:
Code:
###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################

# Note to Debian users: The rules preinstalled in the system
# can be *very* out of date. For more information please read
# the /usr/share/doc/snort-rules-default/README.Debian file

#
# If you install the official VRT Sourcefire rules please review this
# configuration file and re-enable (remove the comment in the first line) those
# rules files that are available in your system (in the /etc/snort/rules
# directory)

# site specific rules
include $RULE_PATH/local.rules

# The include files commented below have been disabled
# because they are not available in the stock Debian
# rules. If you install the Sourcefire VRT please make
# sure you re-enable them again:

# Reglas default borradas

adrian-jaramillo 10-15-2021 06:39 AM
Quote:
Originally Posted by computersavvy (Post 6291986)

Code:
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; distance:3; within:1; content:"root|00|"; nocase; distance:5; within:5; classtype:protocol-command-decode; sid:3456; rev:1;)
...but the default config when activated should work.
Yes, I indeed noticed that Snort comes with those 3 default rules pre-configured, and I've already tried them.
None of them worked.

The real problem seems to be the 3306 port. No traffic going through that port is captured by Snort for some reason.

computersavvy 10-15-2021 11:28 AM
There are 2 critical variables there that you need to verify.

$EXTERNAL_NET
&
$SQL_SERVERS

If not coming from $EXTERNAL_NET and aimed at $SQL_SERVERS it gets ignored.

I see this in /etc/fwsnort/fwsnort.conf
Code:
### Fwsnort treats all traffic directed to / originating from the local
### machine as going to / coming from the HOME_NET in Snort rule parlance.
### If there is only one interface on the local system, then there will be
### no rules processed via the FWSNORT_FORWARD chain because no traffic
### would make it into the iptables FORWARD chain.
HOME_NET                any;
EXTERNAL_NET            any;

### List of servers.  Fwsnort supports the same variable resolution as
### Snort.
HTTP_SERVERS            $HOME_NET;
SMTP_SERVERS            $HOME_NET;
DNS_SERVERS            $HOME_NET;
SQL_SERVERS            $HOME_NET;
TELNET_SERVERS          $HOME_NET;
This gives a little about how HOME_NET and EXTERNAL_NET are used and defined.

I am reasonable certain your issue is related to the definition of those variables.

adrian-jaramillo 10-17-2021 11:58 AM
Quote:
Originally Posted by computersavvy (Post 6292330)
I am reasonably certain your issue is related to the definition of those variables.
Ok, so I will explain in detail about those variables.

The default Snort rules for mysql look like this in my scenario:
Code:
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; within:1; distance:3; content:"root|00|"; within:5; distance:5; nocase; classtype:protocol-command-decode; sid:3456; rev:2;)
The first thing I must say about my scenario, is that in my "snort.conf" I have previously deleted all the default rules, so only my local rules are working. I basically deleted all the include lines, so those rules are not taken into account when Snort runs.


Next, these are my rules on local.rules:
Code:
alert tcp any any -> $HOME_NET 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)
alert tcp any any -> $HOME_NET 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;)
alert tcp any any -> $HOME_NET 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; within:1; distance:3; content:"root|00|"; within:5; distance:5; nocase; classtype:protocol-command-decode; sid:3456; rev:2;)
They are a little different from the default ones, so $EXTERNAL_NET and $SQL_SERVERS don't matter anymore.

If you want to know the value of $HOME_NET, I'm showing you the file "snort.debian.conf", because the server VM is a debian, and snort stores that info in that specific file:
Code:
DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_HOME_NET="10.0.0.0/24"
DEBIAN_SNORT_OPTIONS=""
DEBIAN_SNORT_INTERFACE="eth0 eth1"
DEBIAN_SNORT_SEND_STATS="true"
DEBIAN_SNORT_STATS_RCPT="root"
DEBIAN_SNORT_STATS_THRESHOLD="1"
Next, I'll show you my interfaces so that you see the network is correct, and the interface:
Code:
vagrant@servidor:/etc/snort$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
      valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:dd:10:a9 brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    altname ens5
    inet 192.168.121.37/24 brd 192.168.121.255 scope global dynamic eth0
      valid_lft 2392sec preferred_lft 2392sec
    inet6 fe80::5054:ff:fedd:10a9/64 scope link
      valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:47:ff:e4 brd ff:ff:ff:ff:ff:ff
    altname enp0s6
    altname ens6
    inet 10.0.0.10/24 brd 10.0.0.255 scope global eth1
      valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe47:ffe4/64 scope link
      valid_lft forever preferred_lft forever
Now, I will run snort like this:
Code:
sudo snort -A console -q -i eth1 -c /etc/snort/snort.conf
From the attacker, I connect as root like this:
Code:
sudo mysql -u root -p -h 10.0.0.10
I'm not getting any output in the server yet. Even if I write...
Code:
show databases;
I'm not getting output either.


All times are GMT -5. The time now is 09:19 AM.