Snort not detecting 3306 traffic, but tcpdump on port 3306 DOES show traffic
My scenario is:
I'm connected to the DB from the attacker, and whenever I execute regular SQL commands while in the server this tcpdump command is running... Code:
sudo tcpdump -i eth1 port 3306 This is the output... Code:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode Code:
show databases; Ok so with that being said, we know the connection is working and traffic is being seen. Here you have a netstat output to be even more sure: Code:
vagrant@servidor:/etc/snort$ netstat -tulpn Code:
alert tcp any any -> $HOME_NET 3306 (msg:"mariadb traffic"; sid:29900) Code:
sudo snort -A console -q -i eth1 -c /etc/snort/snort.conf In case you need it, here you have my interfaces information: Code:
vagrant@servidor:/etc/snort$ ip a PS: other Snort rules I have are working properly, I only have issues when it comes to the 3306 port and with Snort specifically. |
Where is your attacker running? If on the same system, then it goes through lo, not eth1.
|
Quote:
They are separate VMs and they have a direct connection between each of them, a private veryisolated network with libvirt and Vagrant to be specific. I've already tested in the post that there are no connection problems since tcpdump shows output and all of my other Snort rules I've been trying work. This is why I find the problem utterly strange. |
Hi
I'm no expert on snort, but I've tried it. There are rules about mysql and 3306 in the default config. It could be some conflicting settings. Maybe look at these? Code:
sudo grep -r 3306 /etc/snort/ |
I am using fedora, and the snort config path is different, but I have a file by default for mysql/mariadb
Code:
<prompt># cat /etc/fwsnort/snort_rules/mysql.rules |
Quote:
This is how my rules configuration looks like in snort.conf: Code:
################################################### |
Quote:
None of them worked. The real problem seems to be the 3306 port. No traffic going through that port is captured by Snort for some reason. |
There are 2 critical variables there that you need to verify.
$EXTERNAL_NET & $SQL_SERVERS If not coming from $EXTERNAL_NET and aimed at $SQL_SERVERS it gets ignored. I see this in /etc/fwsnort/fwsnort.conf Code:
### Fwsnort treats all traffic directed to / originating from the local I am reasonable certain your issue is related to the definition of those variables. |
Quote:
The default Snort rules for mysql look like this in my scenario: Code:
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;) Next, these are my rules on local.rules: Code:
alert tcp any any -> $HOME_NET 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;) If you want to know the value of $HOME_NET, I'm showing you the file "snort.debian.conf", because the server VM is a debian, and snort stores that info in that specific file: Code:
DEBIAN_SNORT_STARTUP="boot" Code:
vagrant@servidor:/etc/snort$ ip a Code:
sudo snort -A console -q -i eth1 -c /etc/snort/snort.conf Code:
sudo mysql -u root -p -h 10.0.0.10 Code:
show databases; |
All times are GMT -5. The time now is 09:19 AM. |