[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: [Snort-users] Missing Portscan Records in 2.8
From: frederick sonnichsen <fsonnichsen () whoi ! edu>
Date: 2008-03-31 18:22:24
Message-ID: 47F12BE0.7080104 () whoi ! edu
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I have recently installed snort 2.8.0.2 and I no longer get very many
portscan alerts when compared to my older version, 2.3.3.
Looking at the older alert files, I see records such as the one below.
These are missing from my 2.8.0.2 output:
alert from 2.3.3 missing from 2.8.0.2:
Mar 31 12:24:19 lyta snort: [122:5:0] (portscan) TCP Filtered
Portscan {PROTO255} 128.128.100.76 -> 71.39.148.246
The preprocessors active in my 2.8.0.2 and 2.3.3 versions are listed
below. The flow-portscan preprocessor in the 2.8 version is omitted in
the sample install file, since stream5 was supposed to replace it.
Can anyone tell me if they have installed 2.8 and if they are still
getting all the portscan records. I find that the new version does not
detect most portscans at this time-
Thanks for any help,
Fritz
================== ACTIVE PREPROCESSORS in 2.8.0.2 INSTALL==================
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
preprocessor http_inspect_server: server default \
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
preprocessor ftp_telnet_protocol: telnet \
preprocessor ftp_telnet_protocol: ftp server default \
preprocessor ftp_telnet_protocol: ftp client default \
preprocessor smtp: \
preprocessor sfportscan: proto { all } \
preprocessor dcerpc: \
preprocessor dns: \
================== ACTIVE PREPROCESSORS in 2.3.3 INSTALL==================
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: \
preprocessor sfportscan: proto { all } \
Leon wrote:
> Hi.
>
> You are using a snort.conf from an old version (2.3) of Snort, use the
> one that came with the 2.8 source and you should get on fine.
> I guess that you installed an older version of snort from the
> apt repository.
>
> You will want to remove the old versions and then use the snort.conf,
> and associated stuff from 2.8. You will find them under etc/ in the
> tarball.
>
> -Leon
>
>
>
>
> On 31 Mar 2008, at 14:33, jose wilter frazao wrote:
>
> > Hi,
> > I change parameter frag2 to frag3 in the /etc/snort/snot.conf, but is
> > showing the next message:
> >
> > Tagged Packet Limit: 256
> > /etc/snort/snort.conf(214) unknown dynamic preprocessor "frag3"
> > /etc/snort/snort.conf(360) unknown dynamic preprocessor "telnet_decode"
> > /etc/snort/snort.conf(500) unknown dynamic preprocessor "xlink2state"
> > ERROR: Misconfigured dynamic preprocessor(s)
> > Fatal Error, Quitting..
> >
> >
> > 2008/3/29, Leon <seclists@rm-rf.co.uk <mailto:seclists@rm-rf.co.uk>>:
> >
> > Hi
> >
> > Looks like there are some problems with your snort.conf
> >
> > > Mar 28 09:23:17 wilter-ubuntu snort[24673]:
> > > /etc/snort/snort.conf(214) unknown dynamic preprocessor "frag2"
> >
> >
> > frag2 has been replaced with frag3, You shouldn't have it enabled
> > on line 214 of your snort.conf
> >
> > As for the other errors, post your snort.conf with the full
> > output of a snort -c /etc/snort/snort.conf -T and ill take a look.
> >
> > -Leon
> >
> >
> > On 28 Mar 2008, at 17:45, jose wilter frazao wrote:
> >
> > > Hello,
> > >
> > > I do downloaded of snort from www.snort.com
> > > <http://www.snort.com/> and compiled the Snort with support to
> > > Mysql, and I installed in the Ubuntu 7.04.
> > > When I insert the command "/usr/local/bin/snort -D -c
> > > /etc/snort/snort.conf" for start the daemon of the Snort show
> > > the massage in the "/var/log/syslog":
> > >
> > >
> > >
> > > Mar 28 09:23:17 wilter-ubuntu snort[24673]:
> > > /etc/snort/snort.conf(214) unknown dynamic preprocessor "frag2"
> > > Mar 28 09:23:17 wilter-ubuntu snort[24673]:
> > > /etc/snort/snort.conf(360) unknown dynamic preprocessor
> > > "telnet_decode"
> > > Mar 28 09:23:17 wilter-ubuntu snort[24673]:
> > > /etc/snort/snort.conf(500) unknown dynamic preprocessor
> > > "xlink2state"
> > > Mar 28 09:23:17 wilter-ubuntu snort[24673]: FATAL ERROR:
> > > Misconfigured dynamic preprocessor(s)
> > >
> > >
> > >
> > > What should I do to correct this problem?
> > >
> > >
> > >
> > > -------------------------------------------------------------------------
> > > Check out the new SourceForge.net Marketplace.
> > > It's the best place to buy or sell services for
> > > just about anything Open Source.
> > > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace_______________________________________________
> > > Snort-users mailing list
> > > Snort-users@lists.sourceforge.net
> > > <mailto:Snort-users@lists.sourceforge.net>
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > <snort.conf><output-snort>
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
[Attachment #5 (text/html)]
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
I have recently installed snort 2.8.0.2 and I no longer get very many
portscan alerts when compared to my older version, 2.3.3.<br>
Looking at the older alert files, I see records such as the one below.
These are missing from my 2.8.0.2 output:<br>
<br>
alert from 2.3.3 missing from 2.8.0.2:<br>
Mar 31 12:24:19 lyta snort: [122:5:0] (portscan) TCP \
Filtered Portscan {PROTO255} 128.128.100.76 -> 71.39.148.246<br>
<br>
The preprocessors active in my 2.8.0.2 and 2.3.3 versions are listed
below. The flow-portscan preprocessor in the 2.8 version is omitted in
the sample install file, since stream5 was supposed to replace it.<br>
Can anyone tell me if they have installed 2.8 and if they are still
getting all the portscan records. I find that the new version does not
detect most portscans at this time-<br>
<br>
Thanks for any help,<br>
Fritz<br>
<br>
================== ACTIVE PREPROCESSORS in 2.8.0.2
INSTALL==================<br>
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/<br>
preprocessor frag3_global: max_frags 65536<br>
preprocessor frag3_engine: policy first detect_anomalies<br>
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \<br>
preprocessor stream5_tcp: policy first, use_static_footprint_sizes<br>
preprocessor http_inspect: global \<br>
preprocessor http_inspect_server: server default \<br>
preprocessor rpc_decode: 111 32771<br>
preprocessor bo<br>
preprocessor ftp_telnet: global \<br>
preprocessor ftp_telnet_protocol: telnet \<br>
preprocessor ftp_telnet_protocol: ftp server default \<br>
preprocessor ftp_telnet_protocol: ftp client default \<br>
preprocessor smtp: \<br>
preprocessor sfportscan: proto { all } \<br>
preprocessor dcerpc: \<br>
preprocessor dns: \<br>
<br>
<br>
================== ACTIVE PREPROCESSORS in 2.3.3
INSTALL==================<br>
preprocessor flow: stats_interval 0 hash 2<br>
preprocessor frag2<br>
preprocessor stream4: disable_evasion_alerts detect_scans<br>
preprocessor stream4_reassemble<br>
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 <br>
preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500<br>
preprocessor rpc_decode: 111 32771<br>
preprocessor bo<br>
preprocessor telnet_decode<br>
preprocessor flow-portscan: \<br>
preprocessor sfportscan: proto { all } \<br>
<br>
<br>
Leon wrote:<br>
<blockquote cite="mid4155F6CD-026C-4DE2-B00F-5CDF8087DA6C@rm-rf.co.uk"
type="cite">Hi.
<div><br>
</div>
<div>You are using a snort.conf from an old version (2.3) of Snort,
use the one that came with the 2.8 source and you should get on fine.
<div>I guess that you installed an older version of snort from the
apt repository.</div>
<div><br>
</div>
<div>You will want to remove the old versions and then use the
snort.conf, and associated stuff from 2.8. You will find them under
etc/ in the tarball.</div>
<div><br>
</div>
<div>-Leon</div>
<div><br>
</div>
<div>
<div> </div>
<div><br>
</div>
<div> <br>
<div>On 31 Mar 2008, at 14:33, jose wilter frazao wrote:<br
class="Apple-interchange-newline">
<blockquote type="cite">Hi,<br>
I change parameter frag2 to frag3 in the /etc/snort/snot.conf, but is
showing the next message:<br>
<br>
Tagged Packet Limit: 256<br>
/etc/snort/snort.conf(214) unknown dynamic preprocessor "frag3"<br>
/etc/snort/snort.conf(360) unknown dynamic preprocessor "telnet_decode"<br>
/etc/snort/snort.conf(500) unknown dynamic preprocessor "xlink2state"<br>
ERROR: Misconfigured dynamic preprocessor(s)<br>
Fatal Error, Quitting..<br>
<br>
<br>
<div><span class="gmail_quote">2008/3/29, Leon <<a
href="mailto:seclists@rm-rf.co.uk">seclists@rm-rf.co.uk</a>>:</span>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; \
padding-left: 1ex;"> <div style="">Hi
<div><br>
</div>
<div>Looks like there are some problems with your snort.conf</div>
<span class="q">
<div><br>
</div>
<div>
<blockquote type="cite"><span style="font-family: Arial;">Mar 28
09:23:17 wilter-ubuntu snort[24673]: /etc/snort/snort.conf(214) unknown
dynamic preprocessor "frag2"</span></blockquote>
<br>
</div>
</span>
<div>frag2 has been replaced with frag3, You shouldn't have it
enabled on line 214 of your snort.conf</div>
<div><br>
</div>
<div>As for the other errors, post your snort.conf with the full
output of a snort -c /etc/snort/snort.conf -T and ill take a look.</div>
<div><br>
</div>
<div>-Leon</div>
<div> </div>
<div><br>
</div>
<div>
<div>
<div><span class="e" id="q_118fc631eadefaa2_3">On 28 Mar 2008, at
17:45, jose wilter frazao wrote:<br>
</span></div>
<blockquote type="cite">
<div><span class="e" id="q_118fc631eadefaa2_5">
<div> Hello,</div>
<div> </div>
<div> I do downloaded of snort from <a
href="http://www.snort.com/" target="_blank"
onclick="return top.js.OpenExtLink(window,event,this)">www.snort.com</a>
and compiled the Snort with support to Mysql, and I installed in the
Ubuntu 7.04.<br>
When I insert the command "/usr/local/bin/snort -D -c
/etc/snort/snort.conf" for start the daemon of the Snort show the
massage in the "/var/log/syslog":</div>
<div>
<p
style="margin: 0cm 0cm 0pt; background: white none repeat scroll 0% 50%; \
-moz-background-clip: initial; -moz-background-origin: initial; \
-moz-background-inline-policy: initial;"> <span style="font-family: Arial;" \
lang="EN-US"></span> </p> <div style="margin: 0cm 0cm 0pt; background-color: \
white;"><span style="font-family: Arial;" lang="EN-US">Mar 28 09:23:17 wilter-ubuntu
snort[24673]: /etc/snort/snort.conf(214) unknown dynamic preprocessor
"frag2"</span></div>
<div style="margin: 0cm 0cm 0pt; background-color: white;"><span
style="font-family: Arial;" lang="EN-US">Mar 28 09:23:17 wilter-ubuntu
snort[24673]: /etc/snort/snort.conf(360) unknown dynamic preprocessor
"telnet_decode"</span></div>
<div style="margin: 0cm 0cm 0pt; background-color: white;"><span
style="font-family: Arial;" lang="EN-US">Mar 28 09:23:17 wilter-ubuntu
snort[24673]: /etc/snort/snort.conf(500) unknown dynamic preprocessor
"xlink2state"</span></div>
<div style="margin: 0cm 0cm 0pt; background-color: white;"><span
style="font-family: Arial;" lang="EN-US">Mar 28 09:23:17 wilter-ubuntu
snort[24673]: FATAL ERROR: Misconfigured dynamic preprocessor(s)</span></div>
<p
style="margin: 0cm 0cm 0pt; background: white none repeat scroll 0% 50%; \
-moz-background-clip: initial; -moz-background-origin: initial; \
-moz-background-inline-policy: initial;"> <span style="font-family: Arial;" \
lang="EN-US"></span> </p> <span style="font-family: Arial;" lang="EN-US">
<div dir="ltr">What should I do to correct this problem?</div>
</span>
<p
style="margin: 0cm 0cm 0pt; background: white none repeat scroll 0% 50%; \
-moz-background-clip: initial; -moz-background-origin: initial; \
-moz-background-inline-policy: initial;"> <span style="font-family: Arial;" \
lang="EN-US"></span> </p> </div>
</span></div>
-------------------------------------------------------------------------<br>
Check out the new SourceForge.net Marketplace.<br>
It's the best place to buy or sell services for<br>
just about anything Open Source.<br>
<a
href="http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace_______________________________________________"
target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">http://ad.doubleclick.net/clk;164216239;1350303 \
8;w?http://sf.net/marketplace_______________________________________________</a><br> \
Snort-users mailing list<br> <a href="mailto:Snort-users@lists.sourceforge.net"
target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">Snort-users@lists.sourceforge.net</a><br> Go \
to this URL to change user options or unsubscribe:<br> <a
href="https://lists.sourceforge.net/lists/listinfo/snort-users"
target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a
href="http://www.geocrawler.com/redir-sf.php3?list=snort-users"
target="_blank" onclick="return \
top.js.OpenExtLink(window,event,this)">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a></blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
<span><snort.conf></span><span><output-snort></span></blockquote>
</div>
<br>
</div>
</div>
</div>
<pre wrap="">
<hr size="4" width="90%">
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
<a class="moz-txt-link-freetext" \
href="http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace">ht \
tp://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace</a></pre> \
<pre wrap=""> <hr size="4" width="90%">
_______________________________________________
Snort-users mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a> \
Go to this URL to change user options or unsubscribe: <a \
class="moz-txt-link-freetext" \
href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a class="moz-txt-link-freetext" \
href="http://www.geocrawler.com/redir-sf.php3?list=snort-users">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a></pre>
</blockquote>
</body>
</html>
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic