michael_b

ARPspoof preprocesser events not logged to database

4 posts in this topic

Hello,

My Snort is up & running and loads of events are being logged. After yielding out some false positives, I wanted to test the arpspoof preprocessor. 

So I enabled:

preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.1.1 58:6d:8f:a0:40:7f
preprocessor arpspoof_detect_host: 192.168.1.3 d4:3d:7e:38:37:4d

And ran a arp attack using ettercap. The problem is that these events do not show up in my winids (and neither in mysql database). It seems to be a similar problem to this: http://seclists.org/snort/2012/q1/99

Now, Ive checked my barnyard output window, and the ettercap events DO show up there (see screenshot), they are just not stored in my database. My feeling is thus that it is a formatting issue: the arpspoof preprocessor outputs the events in a format which barnyard cannot log to mysql. What I dont know is how I can solve this. 

Any ideas?

 

 

 

ettercap2.PNG

Edited by michael_b

Share this post


Link to post
Share on other sites

Can you go to the Snort users list and ask, I'm not sure why it's not logging. They may be getting to the database, but possibly not showing in the security console?

Let us know if you get it figured out.

Working on Pulledpork right now, there is a problem and I'm trying to get it to complete ;(

Share this post


Link to post
Share on other sites

Hmm I don't seem to get a reply on the Snort user lists.

I assume it has something to do with the way Barnyard writes the items in MySQL, but since it is not the debug version there's not much to see. The arp spoof preprocessor does not capture IP addresses, so I set the ip_src, ip_dst, ip_proto in the iphdr and comparable items in the tcphdr table to 'nullable', but no success yet.

 

Edited by michael_b

Share this post


Link to post
Share on other sites

Ok, after debuggin BASE i've found the issue. It seems one query in base_cache.inc.php is broken. It looks (among others) for '(spp_%' instead of 'spp_%', which is the correct start of the arpspoof preprocessor signature name. So i changed the part of the query that is created from line 234 in base_cache.inc.php:

  /* Preprocessor events only */
  # The original "(sig_name LIKE '(spp_%')" is too limited. Cf.
  # /usr/local/src/snort-2.8.3.1_unpatched/etc/gen-msg.map
  # /usr/local/src/snort-2.8.3.1_unpatched/src/generators.h
  # Currently I have included all the names that I have found in 
  # these files.
  # Note: Do always add '%' in LIKE-statements. Otherwise the entries
  #       won't match.
  if ( $db->baseGetDBversion() >= 100 ) {
    $schema_specific[3] = " ( " . 
						  "(sig_name LIKE '(spp_%') OR " . 
                          "(sig_name LIKE '(spo_%') OR " . 
                          "(sig_name LIKE '(snort_decoder)%') OR " .
                          "(sig_name LIKE '(http_decode)%') OR " . 
                          "(sig_name LIKE '(http_inspect)%') OR " . 
                          "(sig_name LIKE '(portscan)%') OR " . 
                          "(sig_name LIKE '(flow-portscan)%') OR " . 
                          "(sig_name LIKE '(frag3)%') OR " . 
                          "(sig_name LIKE '(smtp)%') OR " .
                          "(sig_name LIKE '(ftp_pp)%') OR " . 
                          "(sig_name LIKE '(telnet_pp)%') OR " .
                          "(sig_name LIKE '(ssh)%') OR " .
                          "(sig_name LIKE '(stream5)%') OR " . 
                          "(sig_name LIKE '(dcerpc)%') OR " .
                          "(sig_name LIKE '(dns)%') OR " . 
                          "(sig_name LIKE '(ppm)%') OR " .
                          "(sig_name LIKE 'spp_%') OR " . 
                          "(sig_name LIKE 'spo_%') OR " . 
                          "(sig_name LIKE 'snort_decoder%') OR " .
                          "(sig_name LIKE 'http_decode%') OR " . 
                          "(sig_name LIKE 'http_inspect%') OR " . 
                          "(sig_name LIKE 'portscan%') OR " . 
                          "(sig_name LIKE 'flow-portscan%') OR " . 
                          "(sig_name LIKE 'frag3%') OR " . 
                          "(sig_name LIKE 'smtp%') OR " .
                          "(sig_name LIKE 'ftp_pp%') OR " . 
                          "(sig_name LIKE 'telnet_pp%') OR " .
                          "(sig_name LIKE 'ssh%') OR " .
                          "(sig_name LIKE 'stream5%') OR " . 
                          "(sig_name LIKE 'dcerpc%') OR " .
                          "(sig_name LIKE 'dns%') OR " . 
                          "(sig_name LIKE 'ppm%') " .
                          " ) ";

To not break existing functionality, I have just added all variables without brackets.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now