michael_b Posted April 20, 2015 Report Posted April 20, 2015 (edited) Hello, My Snort is up & running and loads of events are being logged. After yielding out some false positives, I wanted to test the arpspoof preprocessor. So I enabled: preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.1.1 58:6d:8f:a0:40:7f preprocessor arpspoof_detect_host: 192.168.1.3 d4:3d:7e:38:37:4d And ran a arp attack using ettercap. The problem is that these events do not show up in my winids (and neither in mysql database). It seems to be a similar problem to this: http://seclists.org/snort/2012/q1/99 Now, Ive checked my barnyard output window, and the ettercap events DO show up there (see screenshot), they are just not stored in my database. My feeling is thus that it is a formatting issue: the arpspoof preprocessor outputs the events in a format which barnyard cannot log to mysql. What I dont know is how I can solve this. Any ideas? Edited April 20, 2015 by michael_b
Morpheus Posted April 21, 2015 Report Posted April 21, 2015 Can you go to the Snort users list and ask, I'm not sure why it's not logging. They may be getting to the database, but possibly not showing in the security console? Let us know if you get it figured out. Working on Pulledpork right now, there is a problem and I'm trying to get it to complete ;(
michael_b Posted April 24, 2015 Author Report Posted April 24, 2015 (edited) Hmm I don't seem to get a reply on the Snort user lists. I assume it has something to do with the way Barnyard writes the items in MySQL, but since it is not the debug version there's not much to see. The arp spoof preprocessor does not capture IP addresses, so I set the ip_src, ip_dst, ip_proto in the iphdr and comparable items in the tcphdr table to 'nullable', but no success yet. Edited April 24, 2015 by michael_b
michael_b Posted April 25, 2015 Author Report Posted April 25, 2015 Ok, after debuggin BASE i've found the issue. It seems one query in base_cache.inc.php is broken. It looks (among others) for '(spp_%' instead of 'spp_%', which is the correct start of the arpspoof preprocessor signature name. So i changed the part of the query that is created from line 234 in base_cache.inc.php: /* Preprocessor events only */ # The original "(sig_name LIKE '(spp_%')" is too limited. Cf. # /usr/local/src/snort-2.8.3.1_unpatched/etc/gen-msg.map # /usr/local/src/snort-2.8.3.1_unpatched/src/generators.h # Currently I have included all the names that I have found in # these files. # Note: Do always add '%' in LIKE-statements. Otherwise the entries # won't match. if ( $db->baseGetDBversion() >= 100 ) { $schema_specific[3] = " ( " . "(sig_name LIKE '(spp_%') OR " . "(sig_name LIKE '(spo_%') OR " . "(sig_name LIKE '(snort_decoder)%') OR " . "(sig_name LIKE '(http_decode)%') OR " . "(sig_name LIKE '(http_inspect)%') OR " . "(sig_name LIKE '(portscan)%') OR " . "(sig_name LIKE '(flow-portscan)%') OR " . "(sig_name LIKE '(frag3)%') OR " . "(sig_name LIKE '(smtp)%') OR " . "(sig_name LIKE '(ftp_pp)%') OR " . "(sig_name LIKE '(telnet_pp)%') OR " . "(sig_name LIKE '(ssh)%') OR " . "(sig_name LIKE '(stream5)%') OR " . "(sig_name LIKE '(dcerpc)%') OR " . "(sig_name LIKE '(dns)%') OR " . "(sig_name LIKE '(ppm)%') OR " . "(sig_name LIKE 'spp_%') OR " . "(sig_name LIKE 'spo_%') OR " . "(sig_name LIKE 'snort_decoder%') OR " . "(sig_name LIKE 'http_decode%') OR " . "(sig_name LIKE 'http_inspect%') OR " . "(sig_name LIKE 'portscan%') OR " . "(sig_name LIKE 'flow-portscan%') OR " . "(sig_name LIKE 'frag3%') OR " . "(sig_name LIKE 'smtp%') OR " . "(sig_name LIKE 'ftp_pp%') OR " . "(sig_name LIKE 'telnet_pp%') OR " . "(sig_name LIKE 'ssh%') OR " . "(sig_name LIKE 'stream5%') OR " . "(sig_name LIKE 'dcerpc%') OR " . "(sig_name LIKE 'dns%') OR " . "(sig_name LIKE 'ppm%') " . " ) "; To not break existing functionality, I have just added all variables without brackets.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now