jvinson

Snort behaviour when -p promiscuous mode is disabled

9 posts in this topic

Hello WinIDS community - again,

Went through the  Installing a slave client logging events to a remote MySQL Database tutorial. My remote WinIDS is running on server 2008 R2 and I have verified connectivity to Ubuntu server MySQL running 5.7.16 listening on port 3306. My hope is to use Snorby frontend running on the ubuntu 16.04 to read the mysql after Barnyard2 dumps the pcaps from snort into the DB.

This is a change from the previous issues I was having to get the WINIDS / snort install working - As a general FYI I have validated that the referenced tutorial has been completed with the necessary modifications to my environment - i.e. Linux database / snorby  instead of Windows MySQL / Base. the Snort and Barnyard2 applications are configured to run as services from startup per instructions and Barnyard2 is able to communicate with the MySQL database Snorby on the Ubuntu server. The snorby front end is also functional from the perspective that one can login to the website and browse the settings and menu options.

Issue: I'm running this configuration in a set of Amazon AWS EC2 instances. AWS does not allow networks connecting EC2 instances to run packet sniffing functions - i.e. promiscuous mode NIDS type of functions - to this end I'm ok if I can just capture traffic going to/from the box where snort is installed and pass that data via barnyard to the mysql db. 

** First configuration - Snort cmd - this was before running with -p to disable promiscuous mode

c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -l c:\IDS\Snort\log -i1

result - snort was listening but nothing was being dumped to the log files - merged,log-[timestamp] = 0 kb

Barnyard2 is not reading or getting any of this data and is not sending the data to mysql db

** 2nd configuration - Snort cmd - this was first attempt to disable promiscuous mode

c:\IDS\Snort\bin\snort -dev -b -l c:\IDS\Snort\log -i 1 -E -U -p -c c:\IDS\Snort\etc\snort.conf

result - snort was listening but little was being dumped to the log files - merged.log-[timestamp] = 1 kb CMD window screen goes crazy cause there is lots of network traffic data being posted to the stdout Windows instance becomes slow to respond to anything other than snort window. barnyard was tracking merged.log file but no data was transferred.

Test rules were inserted in local.rules file:

alert icmp -> any any -> any any (msg:"ICMP Testing Rule"; sid:1000001; rev:1;)

alert tcp -> any any -> any 80 (msg:"TCP Testing Rule"; sid:1000002; rev:1;)

alert udp -> any any -> any any (msg:"UDP Testing Rule"; sid:1000003; rev:1;)

I added google's ip address to the black_list.rules file

Barnyard2 seemed more responsive - its stdout was tracking the merged.log file but not reading or getting any of this data and is not sending the data to mysql db

** 3rd configuration - Snort cmd - this was 2nd attempt to disable promiscuous mode

c:\IDS\Snort\bin\snort -dev -b -l c:\IDS\Snort\log -i 1 -E -U -p

note: removed '-c c:\IDS\Snort\etc\snort.conf' from CMD line

result - snort was listening the log files began growing fast - merged.log-[timestamp] = 3,072 kb CMD window screen is not posting network traffic data - warning is posted to the stdout.  "No preprocessors configured for policy 0" Windows instance is not slow to respond at this time. barnyard2 was not able to find or create a new barnyard2.waldo file (i deleted all files in directory before running 3rd configuration) another error from stdout - "(snort_decoder) WARNING: IP dgm len < IP Hdr len"

Test rules were inserted in local.rules file:

alert icmp -> any any -> any any (msg:"ICMP Testing Rule"; sid:1000001; rev:1;)

alert tcp -> any any -> any 80 (msg:"TCP Testing Rule"; sid:1000002; rev:1;)

alert udp -> any any -> any any (msg:"UDP Testing Rule"; sid:1000003; rev:1;)

I added google's ip address to the black_list.rules file

Barnyard2 is not reading or getting any of this data and is not sending the data to mysql db

At this point I don't know what to expect from the application based on the limitations I have in this environment. I'm not sure if I should change the CMD switches I have set or if my logs are even being output to unified2 (due to the exclusion of the conf file I'm not sure) current merged.log opened in notepad++ reads NUL about a gazillion times a a bunch of non-standard characters.

Thoughts and input are welcome and greatly appreciated.

Thanks,

JVinson

Share this post


Link to post
Share on other sites

Update: Clearly I need to learn more about snort. I now understand the differences between tcpdump / packet logger / NIDS modes. Making more sense from what I posted above.

The CMD:  c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -l c:\IDS\Snort\log -i1  is used for IDS mode

The CMD:  c:\IDS\Snort\bin\snort -dev -b -l c:\IDS\Snort\log -i 1 -E -U -p -c c:\IDS\Snort\etc\snort.conf  is used for IDS mode w/ promiscuous disabled

The CMD:  c:\IDS\Snort\bin\snort -dev -b -l c:\IDS\Snort\log -i 1 -E -U -p  is used for packet logger mode w/ promiscuous disabled

OK - Now I'm changing it up a bit. currently I have the services disabled and I'm running everything from an elevated CMD windows manually.

#1

I'm running this CMD: c:\IDS\Snort\bin\snort -l c:\IDS\Snort\log -b -i 1 -E -U -p 

Snort generates a snort.log.[timestamp] file that grows - based on network traffic w/ source/destination of the snort server - this is packet logger mode

I'm not sure of the output here i think it should be in binary and Barnyard2 should be able to sent it to the MySQL database server - correct? That's not happening

my barnyard2 CMD: c:\ids\barnyard2\barnyard2.exe -c c:\ids\barnyard2\etc\barnyard2.conf -d c:\ids\snort\log -f snort.log -l c:\ids\barnyard2 -w c:\ids\snort\log\barnyard.waldo

Banryard2 creates a new barnyard.waldo file which grows to 3 kb while the snort.log.[timestamp] file continues to grow. wait for an hr - no change.

#2

I'm running this CMD: C:\IDS\Snort\bin\snort -b -A fast -c c:\IDS\Snort\etc\snort.conf -i1 -p -U -E

Snort generates a snort.log.[timestamp] file that  does not grow beyond 1 kb  this is NIDS mode and therefore only logs traffic based on specific rules.

Snort generates a alert.ids file that does not grow beyond 0 kb 

Now running the same CMD in barnyard2 - c:\ids\barnyard2\barnyard2.exe -c c:\ids\barnyard2\etc\barnyard2.conf -d c:\ids\snort\log -f snort.log -l c:\ids\barnyard2 -w c:\ids\snort\log\barnyard.waldo

Banryard2 creates a new barnyard.waldo file which grows to 3 kb while the snort.log.[timestamp] file continues to grow. wait for an hr - no change.

 

I've been using the -E option to log events to windows event viewer so I thought I check that out: 

I found this error from earlier today not sure how to correlate the error to what i was doing but here it is: "OpenAlertFile() => fopen() alert file log/alert.ids: No such file or directory"

I think the path to the log file is hard coded somehow to be used in a linux/unix environment not windows. For windows should this not be "....log\alert.ids:..."  the text "log/alert.ids" does not appera in the snort.conf file. I don't know if its a big deal or not

Along these lines I also went into the .etc\snort.conf file and changed the site specific rules section lines from "include $RULE_PATH/local.rules" to "include $RULE_PATH\local.rules"

going from forward slash to back slash on 117 lines. I have not seen any changes to the application based on this change.

 

Finaly - this is interesting - I ran through the steps to apply the test.rules file from, "How manually to trigger TCP, IP, UDP, and icmp for event testing"

and there was no change in the behavior for the snort logs or barnyard2 response.

 

Any help is welcomed at this time.

Thanks,

JVinson

 

Share this post


Link to post
Share on other sites

Update: There is something wrong with the Configuration or I have to start completely over - I just wanted to verify that I can get snort to create a unified2 log file

all my previous commands run a log option via the command line, which takes priority over the snort.conf. Apparently the install I have does not generate Unified2 log files

I tripple checked the snort.conf file and verified the line for output is:

output unified2: filename merged.u2, limit 128

I run CMD: c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -i 1 -T

Output:

pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network traffic from "\Device\NPF_{58FEDF05-4BD0-466D-A69E-95CE016393D6}".
ERROR: C:\Documents and Settings\Snort\Desktop\snort\src\output-plugins\spo_unified2.c(323) Could not open log/merged.u2.1483030761: No such file or directory
Fatal Error, Quitting..

is this a bug fix issue? or have I gone completely wrong somewhere? 

The ERROR line above suggests there should be a Windows users profile named 'Snort' that is not the case. I also not the forward slash in the "...log/merged.u2.1483030761:..." path

 

This does not explain why the other error is happening - the test.rules file is completely ignored - no alerts or logs have been generated.

snort.conf

Share this post


Link to post
Share on other sites

How can I be sure that the following command will use Unified2 output?

c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -i 1 -T -l c:\IDS\Snort\log

I suspect that it will run using a default output as if I were to use the -A fast switch

I'll try it and let you know - I have gotten some strange results from copy / paste into the cmd window - maybe if I type it manually it will function better.

Share this post


Link to post
Share on other sites

This line only tests the configuration file: c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -i1 -l c:\IDS\Snort\log -T

Share this post


Link to post
Share on other sites

Yes, correct it is only a test. the fatal error is what concerns me.

ERROR: C:\Documents and Settings\Snort\Desktop\snort\src\output-plugins\spo_unified2.c(323) Could not open log/merged.log.1483030761: No such file or directory

I just did a separate install following your tutorial to the letter. I ran the cmd:

c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -i 1 -l c:\IDS\Snort\log

This has created a merged.log.[timestamp] file in the .\Snort\log directory. My concern is that the data in this log file is not in unified2 format because of the error that is produced when I do not specify the log file path in the cmd window.

Now that I have this merged.log.[timestamp] file barnyard should respond to it and dump the log data in the mysql database? Typically this has not happened for me. I'm guessing this is due to not having a unified2 file format....? Just to be clear I do want log data in the mysql database and not just alert data. Is this expectation correct or should I just assume the only data Barnyard2 sends to mysql is alert data?

many thanks,

Jvinson

Share this post


Link to post
Share on other sites

Resolved Issue - 

the following CMD is working in AWS EC2 instance:

c:\IDS\Snort\bin\snort -c c:\IDS\Snort\etc\snort.conf -i1 -l c:\IDS\Snort\log -p -k none

the article where I found this information can be found here

As a result, the rest of the stack from Barnyard to snorby are working as expected.

 

 

Share this post


Link to post
Share on other sites

I'm not familiar with AWS. So to make things clearer you are running a Windows slave client sending Barnyard2 data to a MySQL database located on an Amazon EC2 instance. Then you'll have a remote Ubuntu workstation running Snorby and reading the MySQL database from the Amazon EC2 instance.

This might be worth writing something up to help others that might be doing what you did.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now