Snort logs?!

Lyecdevf · Post by **Lyecdevf** » 18 Aug 2008, 05:45

So I ran snort successfully a few days ago. In generated some logs from which I picked out the ones that appeared the most often!

Code: Select all

[**] [125:7:1] (ftp_telnet) FTP traffic encrypted [**] [Priority: 3] 08/16-00:54:18.767326 201.239.227.163:21 -> 192.168.1.102:4445 TCP TTL:112 TOS:0x0 ID:2509 IpLen:20 DgmLen:210 DF ***AP*** Seq: 0x119B3CAE Ack: 0xAE4F3A6C Win: 0x104 TcpLen: 32 TCP Options (3) => NOP NOP TS: 288650 525795935 


[**] [122:2:0] (portscan) TCP Decoy Portscan [**] [Priority: 3] 08/16-09:01:25.785685 81.77.193.161 -> 192.168.1.102 PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:171 DF 

[**] [116:54:1] (snort_decoder): Tcp Options found with bad lengths [**] [Priority: 3] 08/16-09:05:20.806428 24.148.102.31:6881 -> 192.168.1.102:3005 TCP TTL:43 TOS:0x0 ID:12482 IpLen:20 DgmLen:1420 DF ***AP*** Seq: 0xC169DB5D Ack: 0xB1EF99C7 Win: 0xFFFF TcpLen: 32 

[**] [116:55:1] (snort_decoder): Truncated Tcp Options [**] [Priority: 3] 08/16-09:05:22.255822 24.148.102.31:6881 -> 192.168.1.102:3005 TCP TTL:43 TOS:0x0 ID:12506 IpLen:20 DgmLen:1420 DF ***AP*** Seq: 0xC169F0ED Ack: 0xB1EF99C7 Win: 0xFFFF TcpLen: 32 

[**] [122:3:0] (portscan) TCP Portsweep [**] [Priority: 3] 08/16-09:08:10.280402 192.168.1.102 -> 81.227.152.202 PROTO:255 TTL:0 TOS:0x0 ID:31795 IpLen:20 DgmLen:165

[**] [1:485:5] ICMP Destination Unreachable Communication Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] 08/16-09:08:18.350637 77.184.199.118 -> 192.168.1.102 ICMP TTL:46 TOS:0x0 ID:52551 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 192.168.1.102:10269 -> 77.184.199.118:44959 TCP TTL:47 TOS:0x0 ID:52551 IpLen:20 DgmLen:60 DF Seq: 0xE908DEED ** END OF DUMP 

[**] [1:524:8] BAD-TRAFFIC tcp port 0 traffic [**] [Classification: Misc activity] [Priority: 3] 08/16-09:23:35.403995 192.168.1.102:24527 -> 71.57.33.223:0 TCP TTL:64 TOS:0x0 ID:13496 IpLen:20 DgmLen:60 DF ******S* Seq: 0x4298A764 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 533435356 0 NOP WS: 6

Today I ran a wireshark scan but it did not pick up any traffic from my computer. Especially not any packets going through FTP or port scans. So I am not sure what that is all about. Could snort have been some how mistaken by the torrent traffic that goes through my computer?

Post by **ayu** » 18 Aug 2008, 06:47

Yeah it happens, you might want to check out the snort config and optimize it a bit. Because sometimes it gives out false positives =)

Post by **bad_brain** » 18 Aug 2008, 07:28

yep, it takes a little to get rid of false positives.
all the incidents that involve your private IP are most likely request from/to your router...DHCP ones for example.
the "FTP traffic encrypted" ones seem to be caused by your p2p client.
if you block ICMP completely anyway (you should) by the firewall you can disable the whole ruleset in /etc/snort/snort.conf, simply comment out the include line for that ruleset. you also should disable all rulesets for services you don't use anyway to save RAM, it's pointless to use rules for IIS on a Linux box for example. don't forget to restart snort after editing the config...

the same procedure is used to disable a single rule in a ruleset (/etc/snort/rules).
if you don't want to disable a rule completely (the "TCP Portsweep" one in the "portscan" ruleset for example) you can exclude your private IP from being logged, here you can find all info you need about writing/editing rules:
http://www.snort.org/docs/snort_htmanua ... ode14.html

Lyecdevf · Post by **Lyecdevf** » 18 Aug 2008, 12:09

Yeah, it is a lot more difficult that I thought. I am going to probably write a blog on how long it took me to get snort, configure it and learn to use it.

Post by **bad_brain** » 18 Aug 2008, 13:09

I'm using Snort for about 3 years now, so I'll support you when I can...I am just not too familiar with the newest version yet because I always go for the official packages in Debian which are a little behind...

feel free to post your snort.conf on http://code.suck-o.com, if you provide me with a list of services you run on your box I'll show you which rulesets you can disable...ok, it's pretty self-explanatory, but just in case...

Lyecdevf · Post by **Lyecdevf** » 19 Aug 2008, 01:10

Hey, thanks a lot. However, I usually go over to the snort IRC to seek guidance and help on such matters. I have been there many times before.

Over the next few weeks I am going to look at my snort.conf and try out different things. Than I am going to go over to snort IRC and experiment some more,...back and forth until I am going to get it to work fine!

When I am going to figure it all out I may write a tut on it and post it here. Because learning to use snort and every thing with it is sure no easy task!