LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-12-2021, 11:32 AM   #1
adrian-jaramillo
LQ Newbie
 
Registered: Nov 2020
Distribution: Debian buster (10)
Posts: 19

Rep: Reputation: 1
Question Snort not detecting 3306 traffic, but tcpdump on port 3306 DOES show traffic


My scenario is:
  • Server with Snort, mariadb, etc
  • Attacker (client)

I'm connected to the DB from the attacker, and whenever I execute regular SQL commands while in the server this tcpdump command is running...

Code:
sudo tcpdump -i eth1 port 3306

This is the output...

Code:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
18:15:50.075293 IP 10.0.0.11.49318 > 10.0.0.10.mysql: Flags [P.], seq 1887652760:1887652779, ack 4258656510, win 1002, options [nop,nop,TS val 3289466069 ecr 3780598465], length 19
18:15:50.075402 IP 10.0.0.10.mysql > 10.0.0.11.49318: Flags [.], ack 19, win 1016, options [nop,nop,TS val 3782532237 ecr 3289466069], length 0
18:15:50.146780 IP 10.0.0.10.mysql > 10.0.0.11.49318: Flags [P.], seq 1:160, ack 19, win 1016, options [nop,nop,TS val 3782532308 ecr 3289466069], length 159
18:15:50.147255 IP 10.0.0.11.49318 > 10.0.0.10.mysql: Flags [.], ack 160, win 1002, options [nop,nop,TS val 3289466141 ecr 3782532308], length 0
In case you wonder, I executed a regular
Code:
show databases;
command without problems, I got the results.

Ok so with that being said, we know the connection is working and traffic is being seen.

Here you have a netstat output to be even more sure:
Code:
vagrant@servidor:/etc/snort$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::514                  :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::21                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -                   
udp        0      0 10.0.0.10:123           0.0.0.0:*                           -                   
udp        0      0 192.168.121.37:123      0.0.0.0:*                           -                   
udp        0      0 127.0.0.1:123           0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:123             0.0.0.0:*                           -                   
udp6       0      0 fe80::5054:ff:fe47::123 :::*                                -                   
udp6       0      0 fe80::5054:ff:fedd::123 :::*                                -                   
udp6       0      0 ::1:123                 :::*                                -                   
udp6       0      0 :::123                  :::*                                -
Next step, run Snort with a generic rule for detecting 3306 traffic. This is going to be the rule I will run:
Code:
alert tcp any any -> $HOME_NET 3306 (msg:"mariadb traffic"; sid:29900)
I run Snort like this:
Code:
sudo snort -A console -q -i eth1 -c /etc/snort/snort.conf
From my attacker I'm running SQL commands, connecting and disconnecting, but nothing seems to generate alerts.

In case you need it, here you have my interfaces information:
Code:
vagrant@servidor:/etc/snort$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:dd:10:a9 brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    altname ens5
    inet 192.168.121.37/24 brd 192.168.121.255 scope global dynamic eth0
       valid_lft 2120sec preferred_lft 2120sec
    inet6 fe80::5054:ff:fedd:10a9/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:47:ff:e4 brd ff:ff:ff:ff:ff:ff
    altname enp0s6
    altname ens6
    inet 10.0.0.10/24 brd 10.0.0.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe47:ffe4/64 scope link 
       valid_lft forever preferred_lft forever
I've been stuck on this problem for several days and ran out of ideas. Any help is appreciated, since Snort should be detecting 3306 traffic but it isn't.

PS: other Snort rules I have are working properly, I only have issues when it comes to the 3306 port and with Snort specifically.
 
Old 10-13-2021, 09:13 AM   #2
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: Fedora 34
Posts: 3,666

Rep: Reputation: 1059Reputation: 1059Reputation: 1059Reputation: 1059Reputation: 1059Reputation: 1059Reputation: 1059Reputation: 1059
Where is your attacker running? If on the same system, then it goes through lo, not eth1.
 
Old 10-13-2021, 05:05 PM   #3
adrian-jaramillo
LQ Newbie
 
Registered: Nov 2020
Distribution: Debian buster (10)
Posts: 19

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by smallpond View Post
Where is your attacker running? If on the same system, then it goes through lo, not eth1.
That's not the issue, since the attacker is another virtual machine.
They are separate VMs and they have a direct connection between each of them, a private veryisolated network with libvirt and Vagrant to be specific.

I've already tested in the post that there are no connection problems since tcpdump shows output and all of my other Snort rules I've been trying work. This is why I find the problem utterly strange.
 
Old 10-14-2021, 06:41 AM   #4
Guttorm
Senior Member
 
Registered: Dec 2003
Location: Trondheim, Norway
Distribution: Debian and Ubuntu
Posts: 1,383

Rep: Reputation: 406Reputation: 406Reputation: 406Reputation: 406Reputation: 406
Hi

I'm no expert on snort, but I've tried it. There are rules about mysql and 3306 in the default config. It could be some conflicting settings. Maybe look at these?
Code:
sudo grep -r 3306 /etc/snort/
sudo grep -r mysql /etc/snort/
 
Old 10-14-2021, 12:40 PM   #5
computersavvy
Senior Member
 
Registered: Aug 2016
Posts: 1,880

Rep: Reputation: 714Reputation: 714Reputation: 714Reputation: 714Reputation: 714Reputation: 714Reputation: 714
I am using fedora, and the snort config path is different, but I have a file by default for mysql/mariadb

Code:
<prompt># cat /etc/fwsnort/snort_rules/mysql.rules 
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id$
#----------
# MYSQL RULES
#----------
#
# These signatures detect unusual and potentially malicious mysql traffic.
#
# These signatures are not enabled by default as they may generate false
# positive alarms on networks that do mysql development.
#

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; distance:3; within:1; content:"root|00|"; nocase; distance:5; within:5; classtype:protocol-command-decode; sid:3456; rev:1;)
I do not run a mariadb database, nor snort since this is a home machine, but the default config when activated should work.
 
Old 10-15-2021, 06:01 AM   #6
adrian-jaramillo
LQ Newbie
 
Registered: Nov 2020
Distribution: Debian buster (10)
Posts: 19

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by Guttorm View Post
Hi
There are rules about mysql and 3306 in the default config. It could be some conflicting settings.
In my scenario that shouldn't be an issue, since I removed all the default rules and left the config with only my local.rules.

This is how my rules configuration looks like in snort.conf:
Code:
###################################################
# Step #7: Customize your rule set
# For more information, see Snort Manual, Writing Snort Rules
#
# NOTE: All categories are enabled in this conf file
###################################################

# Note to Debian users: The rules preinstalled in the system
# can be *very* out of date. For more information please read
# the /usr/share/doc/snort-rules-default/README.Debian file

#
# If you install the official VRT Sourcefire rules please review this
# configuration file and re-enable (remove the comment in the first line) those
# rules files that are available in your system (in the /etc/snort/rules
# directory)

# site specific rules
include $RULE_PATH/local.rules

# The include files commented below have been disabled
# because they are not available in the stock Debian
# rules. If you install the Sourcefire VRT please make
# sure you re-enable them again:

# Reglas default borradas
 
Old 10-15-2021, 06:39 AM   #7
adrian-jaramillo
LQ Newbie
 
Registered: Nov 2020
Distribution: Debian buster (10)
Posts: 19

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by computersavvy View Post

Code:
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; distance:3; within:1; content:"root|00|"; nocase; distance:5; within:5; classtype:protocol-command-decode; sid:3456; rev:1;)
...but the default config when activated should work.
Yes, I indeed noticed that Snort comes with those 3 default rules pre-configured, and I've already tried them.
None of them worked.

The real problem seems to be the 3306 port. No traffic going through that port is captured by Snort for some reason.
 
Old 10-15-2021, 11:28 AM   #8
computersavvy
Senior Member
 
Registered: Aug 2016
Posts: 1,880

Rep: Reputation: 714Reputation: 714Reputation: 714Reputation: 714Reputation: 714Reputation: 714Reputation: 714
There are 2 critical variables there that you need to verify.

$EXTERNAL_NET
&
$SQL_SERVERS

If not coming from $EXTERNAL_NET and aimed at $SQL_SERVERS it gets ignored.

I see this in /etc/fwsnort/fwsnort.conf
Code:
### Fwsnort treats all traffic directed to / originating from the local
### machine as going to / coming from the HOME_NET in Snort rule parlance.
### If there is only one interface on the local system, then there will be
### no rules processed via the FWSNORT_FORWARD chain because no traffic
### would make it into the iptables FORWARD chain.
HOME_NET                any;
EXTERNAL_NET            any;

### List of servers.  Fwsnort supports the same variable resolution as
### Snort.
HTTP_SERVERS            $HOME_NET;
SMTP_SERVERS            $HOME_NET;
DNS_SERVERS             $HOME_NET;
SQL_SERVERS             $HOME_NET;
TELNET_SERVERS          $HOME_NET;
This gives a little about how HOME_NET and EXTERNAL_NET are used and defined.

I am reasonable certain your issue is related to the definition of those variables.
 
Old 10-17-2021, 11:58 AM   #9
adrian-jaramillo
LQ Newbie
 
Registered: Nov 2020
Distribution: Debian buster (10)
Posts: 19

Original Poster
Rep: Reputation: 1
Unhappy

Quote:
Originally Posted by computersavvy View Post
I am reasonably certain your issue is related to the definition of those variables.
Ok, so I will explain in detail about those variables.

The default Snort rules for mysql look like this in my scenario:
Code:
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; within:1; distance:3; content:"root|00|"; within:5; distance:5; nocase; classtype:protocol-command-decode; sid:3456; rev:2;)
The first thing I must say about my scenario, is that in my "snort.conf" I have previously deleted all the default rules, so only my local rules are working. I basically deleted all the include lines, so those rules are not taken into account when Snort runs.


Next, these are my rules on local.rules:
Code:
alert tcp any any -> $HOME_NET 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)
alert tcp any any -> $HOME_NET 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;)
alert tcp any any -> $HOME_NET 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; within:1; distance:3; content:"root|00|"; within:5; distance:5; nocase; classtype:protocol-command-decode; sid:3456; rev:2;)
They are a little different from the default ones, so $EXTERNAL_NET and $SQL_SERVERS don't matter anymore.

If you want to know the value of $HOME_NET, I'm showing you the file "snort.debian.conf", because the server VM is a debian, and snort stores that info in that specific file:
Code:
DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_HOME_NET="10.0.0.0/24"
DEBIAN_SNORT_OPTIONS=""
DEBIAN_SNORT_INTERFACE="eth0 eth1"
DEBIAN_SNORT_SEND_STATS="true"
DEBIAN_SNORT_STATS_RCPT="root"
DEBIAN_SNORT_STATS_THRESHOLD="1"
Next, I'll show you my interfaces so that you see the network is correct, and the interface:
Code:
vagrant@servidor:/etc/snort$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:dd:10:a9 brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    altname ens5
    inet 192.168.121.37/24 brd 192.168.121.255 scope global dynamic eth0
       valid_lft 2392sec preferred_lft 2392sec
    inet6 fe80::5054:ff:fedd:10a9/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:47:ff:e4 brd ff:ff:ff:ff:ff:ff
    altname enp0s6
    altname ens6
    inet 10.0.0.10/24 brd 10.0.0.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe47:ffe4/64 scope link 
       valid_lft forever preferred_lft forever
Now, I will run snort like this:
Code:
sudo snort -A console -q -i eth1 -c /etc/snort/snort.conf
From the attacker, I connect as root like this:
Code:
sudo mysql -u root -p -h 10.0.0.10
I'm not getting any output in the server yet. Even if I write...
Code:
show databases;
I'm not getting output either.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
mysqld running and reading for connections on port 3306, no port 3306 found from scan darkenigmaa Linux - Networking 10 07-13-2016 11:53 AM
Blocked out Port 8080 and Port 3306 gamejava Linux - Security 2 12-29-2015 10:36 AM
MySQL not listening on port 3306 mr_sarge Linux - Newbie 14 12-03-2013 04:17 AM
Evolution does not show content of inbox or sent but does show other folders manny_borges Linux - Newbie 1 05-07-2011 05:08 PM
tcpdump wont show the correct amount of traffic in single port scan? positrox Linux - Networking 0 08-05-2006 09:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration