I first noticed the problem where if I ran a GRC Sheilds up scan on COS 6.2 theres no log or entry that I can find where it says it even detected the event. I decided to stop the service then manually run snort with these results.
I ran it with "snortsam /etc/snortsam.conf -v"
How can I check all is well and what can I have missed reguarding not seeing a basic port scan.
SnortSam, v 2.69.
Copyright (c) 2001-2009 Frank Knobbe <frank@knobbe.us>. All rights reserved.
Plugin 'fwsam': v 2.5, by Frank Knobbe
Plugin 'fwexec': v 2.7, by Frank Knobbe
Plugin 'pix': v 2.9, by Frank Knobbe
Plugin 'ciscoacl': v 2.12, by Ali Basel <alib@sabanciuniv.edu>
Plugin 'cisconullroute': v 2.5, by Frank Knobbe
Plugin 'cisconullroute2': v 2.2, by Wouter de Jong <maddog2k@maddog2k.net>
Plugin 'netscreen': v 2.10, by Frank Knobbe
Plugin 'ipchains': v 2.8, by Hector A. Paterno <apaterno@dsnsecurity.com>
Plugin 'iptables': v 2.9, by Fabrizio Tivano <fabrizio@sad.it>, Luis Marichal <luismarichal@gmail.com>
Plugin 'ebtables': v 2.4, by Bruno Scatolin <ipsystems@uol.com.br>
Plugin 'watchguard': v 2.7, by Thomas Maier <thomas.maier@arcos.de>
Plugin 'email': v 2.12, by Frank Knobbe
Plugin 'email-blocks-only': v 2.12, by Frank Knobbe
Plugin 'snmpinterfacedown': v 2.3, by Ali BASEL <ali@basel.name.tr>
Plugin 'forward': v 2.8, by Frank Knobbe
Parsing config file /etc/snortsam.conf...
Linking plugin 'iptables'...
Parsing config file /etc/snortsam.d/whitelist.conf...
Parsing config file /etc/snortsam.d/dns-whitelist.conf...
Error: [/etc/snortsam.conf: 51] Config file '/etc/snortsam.d/clearcenter-whitelist.conf' not found or inaccessible!
Error: [/etc/snortsam.conf: 52] Config file '/etc/snortsam.d/webconfig-whitelist.conf' not found or inaccessible!
Error: [/etc/snortsam.conf: 53] Config file '/etc/snort/system-autowhitelist.conf' not found or inaccessible!
Checking for existing state file "/var/db/snortsam.state".
Found. Reading state file.
Error: Could not bind socket.
Exiting SnortSam...
I ran it with "snortsam /etc/snortsam.conf -v"
How can I check all is well and what can I have missed reguarding not seeing a basic port scan.
Share this post:
Responses (23)
-
Accepted Answer
-
Accepted Answer
Curious. I've looked at the snortsam changelog and the sid-block.map file was introduced around 2003-02-09, which is round about snort version 1.9 build 229. What is making you say our snort version is too old for sid-block.map to work? -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
@Robert
I've simplified your list to remove duplicates:
[file name=Reduced.txt size=22226]http://www.clearfoundation.com/media/kunena/attachments/legacy/files/Reduced.txt[/file]Rename to sid-block.map because of forum posting rules.
I've also created a list from all the 5.2 rules as there are some there which you don't have in your list but do get used if you use the Emerging Threats rules
[file name=5.txt size=29850]http://www.clearfoundation.com/media/kunena/attachments/legacy/files/5.txt[/file]Again, rename to sid-block.map because of forum posting rules.
If you are trying to use pulledpork, did you find my Emerging Threats script for 5.2 here. It would need updating for 6.2 and is a bit of a sledgehammer so you can't select which rules to enable and which you don't want, which I believe is waht you can do with pulledpork.
I'll try to raise a feature request for the IPS so we get some form of editor for sid-block.map if ClearOS are not going to provide any rules with snortsam blocks.
[edit]
Bug/Feature 609 filed in bug tracker
[/edit]
[edit2]
Where have you put your sid-block.map file? I've put in the directory with my rules, but as I'm using a play NAT'ed VM it is a bit hard to make snort/snortsam trigger so I can't test properly.
[/edit2] -
Accepted Answer
-
Accepted Answer
@Nick
http://dl.dropbox.com/u/17606346/sid-block.zip
knock your heart out. Im trying to get pulledpork to work but cant because its trying to access the version of the snort rules that i dont have access to i think.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
@_/ / 66\_ cummingsj@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2904.tar.gz....
A 403 error occurred, please wait for the 15 minute timeout
to expire before trying again or specify the -n runtime switch
You may also wish to verfiy your oinkcode, tarball name, and other configuration options
Error 403 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5" target="_blank">https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at ./pulledpork.pl line 453
main::md5file('<OINKCODE>', 'snortrules-snapshot-2904.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at ./pulledpork.pl line 1758
-
Accepted Answer
@Robert
Have you seen this for configuring sid-block.map.
@Tim,
It makes snortsam pretty much useless as it is. I'll see if I can work out how to dump all the current (ClearOS5.2) fwsam rules so they can be put into a sid-block.map file, but I haven't a clue where I'd stand at all with licensing. I also don't know how the 5.2 rules compare against the 6.2 ones. -
Accepted Answer
Robert wrote:
So what your suggesting is that currently snort on COS 6.2 Does nothing at all.
ouch! looks that way, or at least the intrusion prevention service...IDS is still working
It would appear that Snort no longer provide rules without a VRT subscription, or indirectly via the ClearOS Intrusion Protection Updates app. It's a real shame if all that's left is a bunch of rules with no IPS hooks...particularly when compared with what we had in 5.2! -
Accepted Answer
Nick i dont think they realised that they where removed from the normal ruleset. I did a google and found that a few other products suffered the same fate and they sujest using a .map file i have the .map file but im yet to achive to get it working. Purely because im a snort novice. I will keep looking into it though. -
Accepted Answer
It looks like they've moved more things between 5.2 and 6.2. Note to me - check in 6.2 before posting from memory. ........ and yes it looks like there are no rules with fwsam defined so it makes you wonder about why bother running snortsam. Snort is still doing its stuff, detecting and logging packets but snortsam looks like a waste of effort as the rules are.
If you search the forum I wrote a script to use the Emerging Threats rules which as a by-product allows you to define your own fwsam elements. The script will need updating for 6.2 as 6.2 uses v2.9.x of snort whereas 5.2 used 2.8.x and the file layout is different.
@devs - What is the point of snortsam with the default rule set? -
Accepted Answer
-
Accepted Answer
Snort just does detection. if the rule has a "fwsam" element to it with another couple of parameters snortsam will then activate a block. Have a little read here. There are some rules with blocks defined and you can see them withgrep fwsam /etc/snort/*.rules | less
-
Accepted Answer
Hi Tim,
I think you may need to revisit the Snort.conf file and adjust it as i had to uncomment something else completly to get it to place messages in /var/log/secure
Now i get the message but dont see any action taken on the Intrusion Prevention table.
May 10 23:45:12 node1 snort[9350]: [122:5:1] PSNG_TCP_FILTERED_PORTSCAN [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} external_source_ip -> wan_ip
-
Accepted Answer
Nmap is run from an external source
Just tested with that section uncommented on medium instead of low and that doesnt do anything either. Just testing shields up
May 10 01:27:19 node1 snort[30231]: [1:1418:11] GPL SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:161
May 10 01:27:19 node1 snort[30231]: [1:1420:11] GPL SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:162
May 10 01:27:20 node1 snort[30231]: [1:1418:11] GPL SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:161
May 10 01:27:20 node1 snort[30231]: [1:1420:11] GPL SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:162
May 10 01:27:20 node1 snort[30231]: [1:1418:11] GPL SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:161
May 10 01:27:20 node1 snort[30231]: [1:1420:11] GPL SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:162
May 10 01:27:21 node1 snort[30231]: [1:1418:11] GPL SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:161
May 10 01:27:21 node1 snort[30231]: [1:1420:11] GPL SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:162
Theres the log -
Accepted Answer
If you look in /etc/snort.d/rules/scan.rules you'll notice that only a few scanner signatures are actually detected in this way... I can recall what rule the GRC scan use to trigger in 5.2? something to do with port 0 if I recall...
Are you using nmap from within your own LAN? or externally? the former will not trigger anything as Snort listens to the external interfaces
If you want better portscan detection - rather than just rules have a look at /etc/snort.conf and
# Portscan detection. For more information, see README.sfportscan
# preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low }
Snort docs are here
less /usr/share/doc/snort-2.9.0.4/README.sfportscan
-
Accepted Answer
I see snort seeing the issue
May 10 00:16:32 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:37374 -> my.wan.ip:43699
May 10 00:16:32 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:37374 -> my.wan.ip:43699
May 10 00:17:47 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:43642
May 10 00:17:47 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:43642
May 10 00:17:47 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:43642
May 10 00:17:48 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:43642
May 10 00:17:49 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:37069
May 10 00:17:49 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:37069
May 10 00:17:49 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:37069
May 10 00:17:49 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:370697BV9VAMW
Though this was a port scan with NMAP
GRC's Shields up scan is not blocked like it was on 5.x either. -
Accepted Answer
-
Accepted Answer
Hi Robert, to test successfully you need to use the 'service snort restart' and 'service snortsam restart' commands to manage the servies... If you specify from the command line directly it will not bind to the corerct WAN interface and subsequently be listening inside the firewall with no alerts
P.S all snort warnings are logged in /var/log/secure...the bad ones are automatically blocked via snortsam, and displayed in the webconfig. -
Accepted Answer
Ticking web-client exploits causes a fatal errorMay 9 23:55:03 node1 snort[18806]: FATAL ERROR: /etc/snort.d/rules/gpl/web-client.rules(118) ***PortVar Lookup failed on '$FILE_DATA_PORTS'.
Adding
somewhere in /etc/snort.conf fixes this though i still do not see anything getting blocked.portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
-
Accepted Answer
I just though I would confirm reguarding the launching issue and sure enough as soon as i was killing snort clearsync or what ever I see it was refered to earlier kicked in and relanuched it.
SnortSam, v 2.69.
Copyright (c) 2001-2009 Frank Knobbe <frank@knobbe.us>. All rights reserved.
Plugin 'fwsam': v 2.5, by Frank Knobbe
Plugin 'fwexec': v 2.7, by Frank Knobbe
Plugin 'pix': v 2.9, by Frank Knobbe
Plugin 'ciscoacl': v 2.12, by Ali Basel <alib@sabanciuniv.edu>
Plugin 'cisconullroute': v 2.5, by Frank Knobbe
Plugin 'cisconullroute2': v 2.2, by Wouter de Jong <maddog2k@maddog2k.net>
Plugin 'netscreen': v 2.10, by Frank Knobbe
Plugin 'ipchains': v 2.8, by Hector A. Paterno <apaterno@dsnsecurity.com>
Plugin 'iptables': v 2.9, by Fabrizio Tivano <fabrizio@sad.it>, Luis Marichal <luismarichal@gmail.com>
Plugin 'ebtables': v 2.4, by Bruno Scatolin <ipsystems@uol.com.br>
Plugin 'watchguard': v 2.7, by Thomas Maier <thomas.maier@arcos.de>
Plugin 'email': v 2.12, by Frank Knobbe
Plugin 'email-blocks-only': v 2.12, by Frank Knobbe
Plugin 'snmpinterfacedown': v 2.3, by Ali BASEL <ali@basel.name.tr>
Plugin 'forward': v 2.8, by Frank Knobbe
Parsing config file /etc/snortsam.conf...
Linking plugin 'iptables'...
Parsing config file /etc/snortsam.d/whitelist.conf...
Parsing config file /etc/snortsam.d/dns-whitelist.conf...
Error: [/etc/snortsam.conf: 51] Config file '/etc/snortsam.d/clearcenter-whitelist.conf' not found or inaccessible!
Error: [/etc/snortsam.conf: 52] Config file '/etc/snortsam.d/webconfig-whitelist.conf' not found or inaccessible!
Error: [/etc/snortsam.conf: 53] Config file '/etc/snort/system-autowhitelist.conf' not found or inaccessible!
Checking for existing state file "/var/db/snortsam.state".
Found. Reading state file.
Starting to listen for Snort alerts.
So back to the first issue how can I get this to work correctly.
EDIT:-
Before its mentioned yes its enabled as far as im away "scan Network scan detection 17 TICK"
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »