|
Explain these Snort logs...
Can anyone explain these entries that come up in my Snort "alert" and "portscan.log" files?
I am running rh7.2 with an iptables firewall (very restrictive) and Snort. "myIP" is the IP address of this box, while "neighborIP" is the IP address of a NT box (no special security precautions, no special services known) in the same office (both machines have static IP addresses and are hooked up via the same hub -- no IP masquerading here). Two basic questions which are prompted by the following log: 1) Why do I get entries in my Snort log which has nothing to do with the box on which Snort runs (myIP)? 2) What the heck are the repeated portscans from neighborIP about? Is this an NT thing, or is it running some rogue program? From time to time neighborIP will portscan myIP as well: (these are not isolated incidents) -- BEGIN EXCERPT FROM portscan.log FILE ---- (edited for content and conciseness) Apr 20 19:21:52 neighborIP:3117 -> 212.166.64.129:80 SYN ******S* Apr 20 19:21:49 neighborIP:3108 -> 212.7.33.162:80 SYN ******S* Apr 20 19:21:49 neighborIP:3112 -> 63.236.73.250:80 SYN ******S* Apr 20 19:21:53 neighborIP:3122 -> 212.166.64.129:80 SYN ******S* Apr 20 19:22:02 neighborIP:3125 -> 195.219.20.13:80 SYN ******S* Apr 20 19:22:04 neighborIP:3130 -> 195.219.20.13:80 SYN ******S* Apr 20 19:22:07 neighborIP:3128 -> 213.97.13.219:80 SYN ******S* Apr 20 19:22:20 neighborIP:3131 -> 195.219.20.13:80 SYN ******S* Apr 20 19:22:32 neighborIP:3132 -> 195.219.20.13:80 SYN ******S* --- END LOG ------------------ I also get entries in my "alert" file about various transgressions (to and from) neighborIP that have nothing explicitly to do with myIP (e.g., MISC Large ICMP Packet) and some things that only happen to neighborIP (e.g. DOS MSDTC attempt) Any ideas? I am new to Snort, so if it is quite possible I'm doing something newbid (configuration or interpretation-wise). Thanks, |
Any chance you could run some tcpdumps on the interface and see exactly what kind of traffic that is? as frequent as it is, it sounds like it could be arp requests or possibly packets coming from Nimda or Code Red (can generate a lot of traffic).
|
sorry.. another suggestion would be to run Ethereal on your NT box (there is a win32 port). You want to first id the traffic you're seeing.
|
Could you check if you're running Snort in promiscuous mode, that is w/o the "-p" flag, and if turning that on solves things a bit.
|
It worked!
Quote:
I haven't looked at what the packets coming out of the NT box are all about (using ethereal, as suggested) but I'll be doing so soon. |
Hi, just thought I'd poke my oar in here too....
It seems to me (though forgive me if I'm wrong) that you're not entirely sure what snort is for... Snort is an Intrusion Detection System (IDS) for *networks* not just for your linux host. It's *supposed* to monitor traffic flying around the the whole of the network that it's attached to. By turning off it's promiscuous mode, you've just hamstrung it! BTW - The portscans aren't anything to worry about - from what I remember about running snort on our LAN at my last job, we got that all the time from various NT mahcines on the network. It's either if the machine is a PDC or if it's a DHCP server - but I can't remember which.... (sorry) Bry |
If ppl are only interested in finding direct targetted attacks promiscuous mode ain't strictly necessary. Also if you want to run Snort, but company policies won't allow your box to run in promiscuous mode.
I'm sure I could come up with more reasons to run Snort -p if I was willing to think real hard now... |
I'm only running one linux machine, not a whole network. I have no real control over the other machines so watching what is happening between them is of secondary concern. Of course, it would be ultra-secure of me to see what is going on with nearby machines (using promiscuous mode), but I don't care too much. All of the 'extra' entries in the log files are distracting with regards to my one machine. I am content to tightly lock down this box since I control every aspect of it.
The way I have snort running right now, it appears to only analyze packets which make it through the iptables firewall. Is there a way to configure snort so that it analyzes every packet destined (or leaving) my box (before the firewall drops it), but strictly intended for myIP? I would guess I could configure snort's rule sets somehow, but I don't know if its possible to get this behavior. Anyone know? |
Snort already *is* working in front of any other filtering cuz of its libpcap usage. From what Ive read (filtering howto's, snort mailinglist, man pcap, man snort etc etc) spose it goes somewhat like this: incoming packets hold in kernel buffer,
packet(copy?) gets examined by pcap(Snort), packet travels up the chain to first iptables thingie(preroute?) etc, packet filtered tru lands on tcp/ip stack for slaughter :-] One way to find out would be to run another copy of snort on another interface (netlink?), and pass the packets at the end of iptables' chains to it, kick off some internet scan and watch the difference. /* Someone correct my mental floss if any, ok? */ |
Quote:
However, I do know that when I run snort with the following command (in rc.[3,4,5] scripts): daemon /usr/sbin/snort -A full -l /var/log/snort -p -d -D -i $INTERFACE -c /etc/snort/snort.conf all I see in the alert file is stuff coming off myIP (say, when I portscan another machine). I (naively) figured it was because (most) anything coming off the net was dropped by my iptables rules, and then snort analyzed it... Time to read. Thanks for the starting points! |
| All times are GMT -5. The time now is 09:27 AM. |