Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Can anyone explain these entries that come up in my Snort "alert" and "portscan.log" files?
I am running rh7.2 with an iptables firewall (very restrictive) and Snort. "myIP" is the IP address of this box, while "neighborIP" is the IP address of a NT box (no special security precautions, no special services known) in the same office (both machines have static IP addresses and are hooked up via the same hub -- no IP masquerading here).
Two basic questions which are prompted by the following log:
1) Why do I get entries in my Snort log which has nothing to do with the box on which Snort runs (myIP)?
2) What the heck are the repeated portscans from neighborIP about? Is this an NT thing, or is it running some rogue program? From time to time neighborIP will portscan myIP as well:
(these are not isolated incidents)
-- BEGIN EXCERPT FROM portscan.log FILE ---- (edited for content and conciseness)
Apr 20 19:21:52 neighborIP:3117 -> 212.166.64.129:80 SYN ******S*
Apr 20 19:21:49 neighborIP:3108 -> 212.7.33.162:80 SYN ******S*
Apr 20 19:21:49 neighborIP:3112 -> 63.236.73.250:80 SYN ******S*
Apr 20 19:21:53 neighborIP:3122 -> 212.166.64.129:80 SYN ******S*
Apr 20 19:22:02 neighborIP:3125 -> 195.219.20.13:80 SYN ******S*
Apr 20 19:22:04 neighborIP:3130 -> 195.219.20.13:80 SYN ******S*
Apr 20 19:22:07 neighborIP:3128 -> 213.97.13.219:80 SYN ******S*
Apr 20 19:22:20 neighborIP:3131 -> 195.219.20.13:80 SYN ******S*
Apr 20 19:22:32 neighborIP:3132 -> 195.219.20.13:80 SYN ******S*
--- END LOG ------------------
I also get entries in my "alert" file about various transgressions (to and from) neighborIP that have nothing explicitly to do with myIP (e.g., MISC Large ICMP Packet) and some things that only happen to neighborIP (e.g. DOS MSDTC attempt)
Any ideas? I am new to Snort, so if it is quite possible I'm doing something newbid (configuration or interpretation-wise).
Any chance you could run some tcpdumps on the interface and see exactly what kind of traffic that is? as frequent as it is, it sounds like it could be arp requests or possibly packets coming from Nimda or Code Red (can generate a lot of traffic).
Originally posted by unSpawn Could you check if you're running Snort in promiscuous mode, that is w/o the "-p" flag, and if turning that on solves things a bit.
Well it did more than solve things `a bit': it worked! Thanks for the push to -p; now I've got a better handle on what promiscuous mode is. But now my snort logs are pretty boring... (well, not TOO boring)
I haven't looked at what the packets coming out of the NT box are all about (using ethereal, as suggested) but I'll be doing so soon.
It seems to me (though forgive me if I'm wrong) that you're not entirely sure what snort is for...
Snort is an Intrusion Detection System (IDS) for *networks* not just for your linux host. It's *supposed* to monitor traffic flying around the the whole of the network that it's attached to. By turning off it's promiscuous mode, you've just hamstrung it!
BTW - The portscans aren't anything to worry about - from what I remember about running snort on our LAN at my last job, we got that all the time from various NT mahcines on the network. It's either if the machine is a PDC or if it's a DHCP server - but I can't remember which.... (sorry)
If ppl are only interested in finding direct targetted attacks promiscuous mode ain't strictly necessary. Also if you want to run Snort, but company policies won't allow your box to run in promiscuous mode.
I'm sure I could come up with more reasons to run Snort -p if I was willing to think real hard now...
I'm only running one linux machine, not a whole network. I have no real control over the other machines so watching what is happening between them is of secondary concern. Of course, it would be ultra-secure of me to see what is going on with nearby machines (using promiscuous mode), but I don't care too much. All of the 'extra' entries in the log files are distracting with regards to my one machine. I am content to tightly lock down this box since I control every aspect of it.
The way I have snort running right now, it appears to only analyze packets which make it through the iptables firewall. Is there a way to configure snort so that it analyzes every packet destined (or leaving) my box (before the firewall drops it), but strictly intended for myIP? I would guess I could configure snort's rule sets somehow, but I don't know if its possible to get this behavior. Anyone know?
Snort already *is* working in front of any other filtering cuz of its libpcap usage. From what Ive read (filtering howto's, snort mailinglist, man pcap, man snort etc etc) spose it goes somewhat like this: incoming packets hold in kernel buffer,
packet(copy?) gets examined by pcap(Snort),
packet travels up the chain to first iptables thingie(preroute?) etc,
packet filtered tru lands on tcp/ip stack for slaughter :-]
One way to find out would be to run another copy of snort on another interface (netlink?), and pass the packets at the end of iptables' chains to it, kick off some internet scan and watch the difference.
Originally posted by unSpawn Snort already *is* working in front of any other filtering cuz of its libpcap usage. From what Ive read (filtering howto's, snort mailinglist, man pcap, man snort etc etc) spose it goes somewhat like this:
Well, I have nothing to refute any particular statement in your post.
However, I do know that when I run snort with the following command (in rc.[3,4,5] scripts):
daemon /usr/sbin/snort -A full -l /var/log/snort -p -d -D -i $INTERFACE -c /etc/snort/snort.conf
all I see in the alert file is stuff coming off myIP (say, when I portscan another machine). I (naively) figured it was because (most) anything coming off the net was dropped by my iptables rules, and then snort analyzed it...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.