No Snort alerts...

[Tracy Reed]

I'm new to Snort and SO and have a few things working and configured and
overall I'm pretty happy with it. Thanks for such a great tool!

The only issue I am currently facing is that Snort is not producing expected
alerts for my simulated attack traffic. It only ever produced two kinds of
alerts:

ET POLICY Unusual number of DNS No Such Name Responses

ET POLICY Outbound Multiple Non-SMTP Server Emails

I have added our mail server IP addresses to SMTP_SERVERS and suppressed the
"No Such Name Responses" from our DNS forwarders and those cleared up.

The issue is when I run sqlmap or nmap against my webserver server and don't
see any alerts. I even setup the classic test icmp alerting rule in
/etc/nsm/rules/local.rules :

Alert icmp 10.1.1.1 any -> any any (msg:"ICMP"; sid:100002;)

but it doesn't cause any alerts when I ping. I can do a tcpdump on my monitor
interface on the SO box and actually see the sqlmap, nmap, and icmp traffic.
But Snort doesn't alert on any of it. Not sure where to go from here. I have
only the basic GPL alerts enabled but I'm pretty sure they should detect some
of this stuff.

Suggestions? What other info should I provide here?

Thanks!

--
Tracy Reed

[Heine Lysemose]

Hi

Could you provide the list with the output from

sudo sostat

redacting any sensitive information.

Regards,
Lysemose

[Tracy Reed]

On Fri, Apr 26, 2013 at 01:25:27AM PDT, Heine Lysemose spake thusly:

> Could you provide the list with the output from
>
> sudo sostat
>
> redacting any sensitive information.

Certainly. I had considered sending that in the first email but it was rather
large. Thanks!


=========================================================================
Service Status
=========================================================================
Status: securityonion
* sguil server[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
bro standalone localhost running 9078 0 25 Apr 05:09:11
Status: onion-eth1
* netsniff-ng (full packet data)[ OK ]
* pcap_agent (sguil)[ OK ]
* snort_agent-1 (sguil)[ OK ]
* snort_agent-2 (sguil)[ OK ]
* snort-1 (alert data)[ OK ]
* snort-2 (alert data)[ OK ]
* barnyard2-1 (spooler, unified2 format)[ OK ]
* barnyard2-2 (spooler, unified2 format)[ OK ]
* prads (sessions/assets)[ OK ]
* sancp_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]

=========================================================================
Interface Status
=========================================================================
eth0 Link encap:Ethernet HWaddr 00:16:3e:4a:11:9f
inet addr:10.0.2.245 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fe4a:119f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:115203 errors:0 dropped:0 overruns:0 frame:0
TX packets:83058 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17821820 (17.8 MB) TX bytes:11023243 (11.0 MB)
Interrupt:95

eth1 Link encap:Ethernet HWaddr 00:16:3e:36:2e:60
UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
RX packets:106376893 errors:0 dropped:13448 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:30922965828 (30.9 GB) TX bytes:70 (70.0 B)
Interrupt:96

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12448446 errors:0 dropped:0 overruns:0 frame:0
TX packets:12448446 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3716086878 (3.7 GB) TX bytes:3716086878 (3.7 GB)

=========================================================================
Disk Usage
=========================================================================
Filesystem Size Used Avail Use% Mounted on
/dev/md1 9.2G 668M 8.1G 8% /
udev 3.9G 4.0K 3.9G 1% /dev
tmpfs 1.6G 844K 1.6G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 3.8G 144K 3.8G 1% /run/shm
/dev/mapper/onion-usr 4.6G 2.5G 1.9G 57% /usr
/dev/mapper/onion-tmp 1.9G 37M 1.8G 3% /tmp
/dev/mapper/onion-nsm 551G 63G 460G 12% /nsm
/dev/md0 4.6G 165M 4.2G 4% /boot
/dev/mapper/onion-home 4.6G 139M 4.3G 4% /home
/dev/mapper/onion-var 11G 7.6G 2.5G 76% /var

=========================================================================
Network Sockets
=========================================================================
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1213 avahi 12u IPv4 10531 0t0 UDP *:5353
avahi-dae 1213 avahi 13u IPv6 10532 0t0 UDP *:5353
avahi-dae 1213 avahi 14u IPv4 10533 0t0 UDP *:40485
avahi-dae 1213 avahi 15u IPv6 10534 0t0 UDP *:49726
cupsd 1239 root 8u IPv6 934364 0t0 TCP [::1]:631 (LISTEN)
cupsd 1239 root 9u IPv4 934365 0t0 TCP 127.0.0.1:631 (LISTEN)
sshd 1313 root 3u IPv4 9687 0t0 TCP *:22 (LISTEN)
sshd 1313 root 4u IPv6 9689 0t0 TCP *:22 (LISTEN)
tclsh 1326 root 3u IPv4 886871 0t0 TCP 127.0.0.1:46354->127.0.0.1:7736 (ESTABLISHED)
mysqld 1516 mysql 10u IPv4 9905 0t0 TCP 127.0.0.1:3306 (LISTEN)
mysqld 1516 mysql 170u IPv4 921760 0t0 TCP 127.0.0.1:3306->127.0.0.1:36571 (ESTABLISHED)
mysqld 1516 mysql 172u IPv4 922919 0t0 TCP 127.0.0.1:3306->127.0.0.1:36574 (ESTABLISHED)
master 1782 root 12u IPv4 11235 0t0 TCP *:25 (LISTEN)
master 1782 root 13u IPv6 11236 0t0 TCP *:25 (LISTEN)
/usr/sbin 2030 root 4u IPv4 12543 0t0 TCP *:443 (LISTEN)
/usr/sbin 2030 root 5u IPv4 12546 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2030 root 6u IPv4 12548 0t0 TCP *:444 (LISTEN)
/usr/sbin 2158 www-data 4u IPv4 12543 0t0 TCP *:443 (LISTEN)
/usr/sbin 2158 www-data 5u IPv4 12546 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2158 www-data 6u IPv4 12548 0t0 TCP *:444 (LISTEN)
/usr/sbin 2159 www-data 4u IPv4 12543 0t0 TCP *:443 (LISTEN)
/usr/sbin 2159 www-data 5u IPv4 12546 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2159 www-data 6u IPv4 12548 0t0 TCP *:444 (LISTEN)
/usr/sbin 2161 www-data 4u IPv4 12543 0t0 TCP *:443 (LISTEN)
/usr/sbin 2161 www-data 5u IPv4 12546 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2161 www-data 6u IPv4 12548 0t0 TCP *:444 (LISTEN)
/usr/sbin 2162 www-data 4u IPv4 12543 0t0 TCP *:443 (LISTEN)
/usr/sbin 2162 www-data 5u IPv4 12546 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2162 www-data 6u IPv4 12548 0t0 TCP *:444 (LISTEN)
ubuntu-ge 2507 lightdm 11u IPv4 13596 0t0 TCP 10.0.2.245:40821->x.x.x.x:80 (CLOSE_WAIT)
ntpd 2549 ntp 16u IPv4 13607 0t0 UDP *:123
ntpd 2549 ntp 17u IPv6 13608 0t0 UDP *:123
ntpd 2549 ntp 18u IPv4 13614 0t0 UDP 127.0.0.1:123
ntpd 2549 ntp 19u IPv4 13615 0t0 UDP 10.0.2.245:123
ntpd 2549 ntp 20u IPv6 13616 0t0 UDP [fe80::216:3eff:fe4a:119f]:123
ntpd 2549 ntp 21u IPv6 13617 0t0 UDP [::1]:123
/usr/sbin 2559 www-data 4u IPv4 12543 0t0 TCP *:443 (LISTEN)
/usr/sbin 2559 www-data 5u IPv4 12546 0t0 TCP *:9876 (LISTEN)
/usr/sbin 2559 www-data 6u IPv4 12548 0t0 TCP *:444 (LISTEN)
sshd 3698 root 3u IPv4 14155 0t0 TCP 10.0.2.245:22->10.0.2.2:40540 (ESTABLISHED)
sshd 3836 treed 3u IPv4 14155 0t0 TCP 10.0.2.245:22->10.0.2.2:40540 (ESTABLISHED)
/usr/sbin 3951 www-data 4u IPv4 12543 0t0 TCP *:443 (LISTEN)
/usr/sbin 3951 www-data 5u IPv4 12546 0t0 TCP *:9876 (LISTEN)
/usr/sbin 3951 www-data 6u IPv4 12548 0t0 TCP *:444 (LISTEN)
/usr/sbin 5074 www-data 4u IPv4 12543 0t0 TCP *:443 (LISTEN)
/usr/sbin 5074 www-data 5u IPv4 12546 0t0 TCP *:9876 (LISTEN)
/usr/sbin 5074 www-data 6u IPv4 12548 0t0 TCP *:444 (LISTEN)
sshd 5133 root 3u IPv4 912209 0t0 TCP 10.0.2.245:22->10.0.2.2:51622 (ESTABLISHED)
sshd 5423 treed 3u IPv4 912209 0t0 TCP 10.0.2.245:22->10.0.2.2:51622 (ESTABLISHED)
sshd 5423 treed 9u IPv6 913697 0t0 TCP [::1]:6010 (LISTEN)
sshd 5423 treed 10u IPv4 913698 0t0 TCP 127.0.0.1:6010 (LISTEN)
sshd 5423 treed 12u IPv4 913740 0t0 TCP 127.0.0.1:6010->127.0.0.1:50586 (ESTABLISHED)
wish 5531 treed 3u IPv4 913739 0t0 TCP 127.0.0.1:50586->127.0.0.1:6010 (ESTABLISHED)
wish 5531 treed 4u IPv4 913748 0t0 TCP 127.0.0.1:51256->127.0.0.1:7734 (ESTABLISHED)
barnyard2 8153 root 3u IPv4 920151 0t0 TCP 127.0.0.1:53348->127.0.0.1:8001 (ESTABLISHED)
barnyard2 8153 root 4u IPv4 921084 0t0 TCP 127.0.0.1:36571->127.0.0.1:3306 (ESTABLISHED)
barnyard2 8222 root 3u IPv4 922914 0t0 TCP 127.0.0.1:58846->127.0.0.1:8002 (ESTABLISHED)
barnyard2 8222 root 4u IPv4 922918 0t0 TCP 127.0.0.1:36574->127.0.0.1:3306 (ESTABLISHED)
tclsh 8344 root 3u IPv4 39241 0t0 TCP 127.0.0.1:44110->127.0.0.1:7736 (CLOSE_WAIT)
bro 9078 root 4u IPv4 40460 0t0 UDP 10.0.2.245:54975->10.0.2.3:53
bro 9088 root 0u IPv4 39583 0t0 TCP *:47760 (LISTEN)
bro 9088 root 1u IPv6 39584 0t0 TCP *:47760 (LISTEN)
bro 9088 root 4u IPv4 40460 0t0 UDP 10.0.2.245:54975->10.0.2.3:53
tclsh 9177 root 3u IPv4 885914 0t0 TCP 127.0.0.1:46353->127.0.0.1:7736 (ESTABLISHED)
tclsh 9216 root 3u IPv4 885088 0t0 TCP 127.0.0.1:46351->127.0.0.1:7736 (ESTABLISHED)
tclsh 9216 root 4u IPv4 38619 0t0 TCP 127.0.0.1:8001 (LISTEN)
tclsh 9216 root 6u IPv4 921081 0t0 TCP 127.0.0.1:8001->127.0.0.1:53348 (ESTABLISHED)
tclsh 14277 root 3u IPv4 885089 0t0 TCP 127.0.0.1:46352->127.0.0.1:7736 (ESTABLISHED)
tclsh 14277 root 4u IPv4 72763 0t0 TCP 127.0.0.1:8002 (LISTEN)
tclsh 14277 root 6u IPv4 922915 0t0 TCP 127.0.0.1:8002->127.0.0.1:58846 (ESTABLISHED)
tclsh 14601 root 3u IPv4 886867 0t0 TCP 127.0.0.1:46350->127.0.0.1:7736 (ESTABLISHED)
/usr/sbin 21792 www-data 4u IPv4 12543 0t0 TCP *:443 (LISTEN)
/usr/sbin 21792 www-data 5u IPv4 12546 0t0 TCP *:9876 (LISTEN)
/usr/sbin 21792 www-data 6u IPv4 12548 0t0 TCP *:444 (LISTEN)
/usr/sbin 21793 www-data 4u IPv4 12543 0t0 TCP *:443 (LISTEN)
/usr/sbin 21793 www-data 5u IPv4 12546 0t0 TCP *:9876 (LISTEN)
/usr/sbin 21793 www-data 6u IPv4 12548 0t0 TCP *:444 (LISTEN)
/usr/sbin 21794 www-data 4u IPv4 12543 0t0 TCP *:443 (LISTEN)
/usr/sbin 21794 www-data 5u IPv4 12546 0t0 TCP *:9876 (LISTEN)
/usr/sbin 21794 www-data 6u IPv4 12548 0t0 TCP *:444 (LISTEN)
tclsh 23572 root 3u IPv4 885086 0t0 TCP 127.0.0.1:46349->127.0.0.1:7736 (ESTABLISHED)
ruby1.9.1 26768 www-data 12u IPv4 630278 0t0 TCP 127.0.0.1:55185 (LISTEN)
tclsh 29441 root 13u IPv4 885084 0t0 TCP *:7734 (LISTEN)
tclsh 29441 root 14u IPv4 885085 0t0 TCP *:7736 (LISTEN)
tclsh 29441 root 15u IPv4 885087 0t0 TCP 127.0.0.1:7736->127.0.0.1:46349 (ESTABLISHED)
tclsh 29441 root 16u IPv4 886868 0t0 TCP 127.0.0.1:7736->127.0.0.1:46350 (ESTABLISHED)
tclsh 29441 root 17u IPv4 886869 0t0 TCP 127.0.0.1:7736->127.0.0.1:46351 (ESTABLISHED)
tclsh 29441 root 18u IPv4 886870 0t0 TCP 127.0.0.1:7736->127.0.0.1:46352 (ESTABLISHED)
tclsh 29441 root 19u IPv4 885915 0t0 TCP 127.0.0.1:7736->127.0.0.1:46353 (ESTABLISHED)
tclsh 29441 root 20u IPv4 886872 0t0 TCP 127.0.0.1:7736->127.0.0.1:46354 (ESTABLISHED)
tclsh 29441 root 21u IPv4 911126 0t0 TCP 127.0.0.1:7734->127.0.0.1:51256 (ESTABLISHED)

=========================================================================
IDS Rules Update
=========================================================================
Fri Apr 26 07:01:01 UTC 2013
Backing up current downloaded.rules file before it gets overwritten.
Cleaning up downloaded.rules backup files older than 30 days.
Running PulledPork.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for emerging.rules.tar.gz....
No Match
Done
Rules tarball download of emerging.rules.tar.gz....
They Match
Done!
Prepping rules from emerging.rules.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
Done
Reading rules...
Reading rules...
Reading rules...
Processing /etc/nsm/pulledpork/enablesid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/dropsid.conf....
Modified 0 rules
Done
Processing /etc/nsm/pulledpork/disablesid.conf....
Modified 0 rules
Done
Modifying Sids....
Done!
Setting Flowbit State....
Enabled 10 flowbits
Done
Writing /etc/nsm/rules/downloaded.rules....
Done
Writing /etc/nsm/rules/so_rules.rules....
Done
Generating sid-msg.map....
Done
Writing /etc/nsm/rules/sid-msg.map....
Done
Writing /var/log/sid_changes.log....
Done
Rule Stats....
New:-------8
Deleted:---6
Enabled Rules:----13940
Dropped Rules:----0
Disabled Rules:---3241
Total Rules:------17181
Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
Restarting Barnyard2.
Restarting: onion-eth1
* stopping: barnyard2-1 (spooler, unified2 format)[ OK ]
* starting: barnyard2-1 (spooler, unified2 format)[ OK ]
* stopping: barnyard2-2 (spooler, unified2 format)[ OK ]
* starting: barnyard2-2 (spooler, unified2 format)[ OK ]
Restarting IDS Engine.
Restarting: onion-eth1
* stopping: snort-1 (alert data)[ OK ]
* starting: snort-1 (alert data)[ OK ]
* stopping: snort-2 (alert data)[ OK ]
* starting: snort-2 (alert data)[ OK ]

=========================================================================
CPU Usage
=========================================================================
top - 08:45:51 up 1 day, 4:00, 2 users, load average: 0.12, 0.18, 0.27
Tasks: 204 total, 1 running, 203 sleeping, 0 stopped, 0 zombie
Cpu(s): 12.2%us, 1.2%sy, 0.2%ni, 81.1%id, 4.1%wa, 0.0%hi, 0.3%si, 1.0%st
Mem: 7914660k total, 7700856k used, 213804k free, 218760k buffers
Swap: 7807932k total, 52764k used, 7755168k free, 5727404k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
9078 root 20 0 1761m 137m 70m S 21 1.8 475:54.01 bro
8305 sguil 20 0 541m 221m 10m S 8 2.9 12:01.34 snort
1230 sguil 20 0 111m 12m 1188 S 2 0.2 8:23.70 argus
14556 sguil 20 0 78512 56m 3576 S 2 0.7 28:58.52 prads
1 root 20 0 24440 2232 1300 S 0 0.0 0:03.84 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:50.96 ksoftirqd/0
5 root 20 0 0 0 0 S 0 0.0 0:00.52 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:00.74 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.94 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.74 migration/1
9 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/1:0
10 root 20 0 0 0 0 S 0 0.0 0:18.34 ksoftirqd/1
11 root RT 0 0 0 0 S 0 0.0 0:00.70 watchdog/1
12 root RT 0 0 0 0 S 0 0.0 0:00.70 migration/2
13 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/2:0
14 root 20 0 0 0 0 S 0 0.0 0:15.70 ksoftirqd/2
15 root RT 0 0 0 0 S 0 0.0 0:00.78 watchdog/2
16 root RT 0 0 0 0 S 0 0.0 0:00.94 migration/3
17 root 20 0 0 0 0 S 0 0.0 0:00.00 kworker/3:0
18 root 20 0 0 0 0 S 0 0.0 0:15.01 ksoftirqd/3
19 root RT 0 0 0 0 S 0 0.0 0:00.69 watchdog/3
20 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
21 root 0 -20 0 0 0 S 0 0.0 0:00.00 khelper
22 root 20 0 0 0 0 S 0 0.0 0:00.01 kdevtmpfs
23 root 0 -20 0 0 0 S 0 0.0 0:00.00 netns
24 root 20 0 0 0 0 S 0 0.0 0:00.02 kworker/u:1
25 root 20 0 0 0 0 S 0 0.0 0:00.01 xenwatch
26 root 20 0 0 0 0 S 0 0.0 0:00.01 xenbus
27 root 20 0 0 0 0 S 0 0.0 0:00.26 sync_supers
28 root 20 0 0 0 0 S 0 0.0 0:00.00 bdi-default
29 root 0 -20 0 0 0 S 0 0.0 0:00.00 kintegrityd
30 root 0 -20 0 0 0 S 0 0.0 0:00.00 kblockd
31 root 0 -20 0 0 0 S 0 0.0 0:00.00 ata_sff
32 root 20 0 0 0 0 S 0 0.0 0:00.05 khubd
33 root 0 -20 0 0 0 S 0 0.0 0:00.00 md
34 root 20 0 0 0 0 S 0 0.0 0:05.78 kworker/1:1
36 root 20 0 0 0 0 S 0 0.0 0:00.06 khungtaskd
37 root 20 0 0 0 0 S 0 0.0 0:17.24 kswapd0
38 root 25 5 0 0 0 S 0 0.0 0:00.00 ksmd
39 root 39 19 0 0 0 S 0 0.0 0:00.00 khugepaged
40 root 20 0 0 0 0 S 0 0.0 0:00.00 fsnotify_mark
41 root 20 0 0 0 0 S 0 0.0 0:00.00 ecryptfs-kthrea
42 root 0 -20 0 0 0 S 0 0.0 0:00.00 crypto
51 root 0 -20 0 0 0 S 0 0.0 0:00.00 kthrotld
53 root 20 0 0 0 0 S 0 0.0 0:00.00 scsi_eh_0
54 root 20 0 0 0 0 S 0 0.0 0:00.01 scsi_eh_1
56 root 0 -20 0 0 0 S 0 0.0 0:00.00 binder
76 root 0 -20 0 0 0 S 0 0.0 0:00.00 deferwq
77 root 0 -20 0 0 0 S 0 0.0 0:00.00 charger_manager
78 root 0 -20 0 0 0 S 0 0.0 0:00.00 devfreq_wq
79 root 20 0 0 0 0 S 0 0.0 0:02.25 kworker/2:1
336 root 20 0 0 0 0 S 0 0.0 0:02.01 kworker/3:1
365 root 20 0 0 0 0 S 0 0.0 0:00.49 md2_raid1
366 root 20 0 0 0 0 S 0 0.0 0:00.66 md1_raid1
369 root 20 0 0 0 0 S 0 0.0 3:53.33 md3_raid1
375 root 20 0 0 0 0 S 0 0.0 0:00.00 md0_raid1
399 root 0 -20 0 0 0 S 0 0.0 0:00.00 kdmflush
406 root 0 -20 0 0 0 S 0 0.0 0:00.00 kdmflush
413 root 0 -20 0 0 0 S 0 0.0 0:00.00 kdmflush
421 root 0 -20 0 0 0 S 0 0.0 0:00.00 kdmflush
428 root 0 -20 0 0 0 S 0 0.0 0:00.00 kdmflush
447 root 20 0 0 0 0 S 0 0.0 0:00.28 jbd2/md1-8
448 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
541 root 20 0 17232 604 512 S 0 0.0 0:00.20 upstart-udev-br
552 root 20 0 21948 956 820 S 0 0.0 0:00.20 udevd
573 root 20 0 0 0 0 S 0 0.0 0:00.05 jbd2/dm-1-8
574 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
581 root 20 0 0 0 0 S 0 0.0 0:00.49 jbd2/dm-2-8
582 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
587 root 20 0 0 0 0 S 0 0.0 0:08.79 jbd2/dm-4-8
588 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
594 root 20 0 0 0 0 S 0 0.0 0:00.00 jbd2/md0-8
595 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
601 root 20 0 0 0 0 S 0 0.0 0:00.01 jbd2/dm-0-8
602 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
606 root 20 0 0 0 0 S 0 0.0 3:34.80 jbd2/dm-3-8
607 root 0 -20 0 0 0 S 0 0.0 0:00.00 ext4-dio-unwrit
737 root 20 0 21884 688 408 S 0 0.0 0:00.01 udevd
738 root 20 0 21884 324 320 S 0 0.0 0:00.00 udevd
847 root 0 -20 0 0 0 S 0 0.0 0:00.00 kpsmoused
931 sguil 20 0 105m 79m 64m S 0 1.0 6:59.78 netsniff-ng
1001 root 20 0 15188 384 332 S 0 0.0 0:00.01 upstart-socket-
1117 messageb 20 0 24392 1424 772 S 0 0.0 0:00.18 dbus-daemon
1189 root 20 0 21188 1248 1248 S 0 0.0 0:00.00 bluetoothd
1213 avahi 20 0 32308 1392 1260 S 0 0.0 0:00.26 avahi-daemon
1217 avahi 20 0 32180 184 152 S 0 0.0 0:00.00 avahi-daemon
1233 root 10 -10 0 0 0 S 0 0.0 0:00.00 krfcommd
1239 root 20 0 101m 2364 1940 S 0 0.0 0:00.06 cupsd
1313 root 20 0 49956 2376 2256 S 0 0.0 0:00.23 sshd
1326 root 20 0 36392 5540 3100 S 0 0.1 21:04.60 tclsh
1412 root 20 0 7200 720 608 S 0 0.0 0:06.78 tail
1450 root 20 0 15784 768 764 S 0 0.0 0:00.00 getty
1466 root 20 0 15784 768 764 S 0 0.0 0:00.00 getty
1470 root 20 0 0 0 0 S 0 0.0 0:00.23 flush-9:1
1474 root 20 0 0 0 0 S 0 0.0 0:00.49 flush-252:2
1475 root 20 0 0 0 0 S 0 0.0 0:19.64 flush-252:3
1476 root 20 0 0 0 0 S 0 0.0 0:22.04 flush-252:4
1480 root 20 0 15784 768 764 S 0 0.0 0:00.00 getty
1481 root 20 0 15784 768 764 S 0 0.0 0:00.00 getty
1484 root 20 0 15784 768 764 S 0 0.0 0:00.00 getty
1487 root 20 0 26780 216 184 S 0 0.0 0:00.00 syslog-ng
1488 root 20 0 92028 10m 2528 S 0 0.1 0:04.74 syslog-ng
1501 root 20 0 264m 1864 1760 S 0 0.0 0:00.03 lightdm
1502 root 20 0 4460 540 536 S 0 0.0 0:00.00 acpid
1512 daemon 20 0 16908 224 212 S 0 0.0 0:00.00 atd
1513 root 20 0 19112 904 780 S 0 0.0 0:01.05 cron
1514 root 20 0 15980 604 504 S 0 0.0 0:26.06 irqbalance
1516 mysql 20 0 1506m 154m 8116 S 0 2.0 93:34.31 mysqld
1543 whoopsie 20 0 197m 2976 2660 S 0 0.0 0:03.86 whoopsie
1552 root 20 0 161m 10m 2156 S 0 0.1 3:40.11 Xorg
1593 root 20 0 12804 436 368 S 0 0.0 0:00.04 ossec-execd
1597 ossec 20 0 14640 2348 712 S 0 0.0 0:10.02 ossec-analysisd
1601 root 20 0 4528 484 408 S 0 0.0 0:00.51 ossec-logcollec
1635 root 20 0 5804 2084 632 S 0 0.0 1:17.12 ossec-syscheckd
1639 ossec 20 0 13068 728 520 S 0 0.0 0:00.26 ossec-monitord
1782 root 20 0 25108 1472 1352 S 0 0.0 0:01.02 master
1793 postfix 20 0 27336 1612 1436 S 0 0.0 0:00.13 qmgr
1861 root 20 0 13376 524 428 S 0 0.0 0:00.03 mdadm
2030 root 20 0 176m 4708 3940 S 0 0.1 0:05.35 /usr/sbin/apach
2043 root 20 0 215m 1476 1408 S 0 0.0 0:00.00 PassengerWatchd
2046 root 20 0 865m 2688 1868 S 0 0.0 2:43.44 PassengerHelper
2048 root 20 0 112m 9m 2184 S 0 0.1 0:00.35 ruby1.9.1
2051 nobody 20 0 165m 2388 2372 S 0 0.0 0:00.36 PassengerLoggin
2155 root 20 0 15784 768 764 S 0 0.0 0:00.00 getty
2158 www-data 20 0 176m 3772 2472 S 0 0.0 0:00.39 /usr/sbin/apach
2159 www-data 20 0 176m 3816 2460 S 0 0.0 0:00.57 /usr/sbin/apach
2161 www-data 20 0 176m 3856 2468 S 0 0.0 0:00.30 /usr/sbin/apach
2162 www-data 20 0 176m 3736 2368 S 0 0.0 0:00.34 /usr/sbin/apach
2211 root 20 0 153m 1840 1840 S 0 0.0 0:00.03 lightdm
2214 root 20 0 118m 2236 1916 S 0 0.0 0:02.29 accounts-daemon
2242 root 20 0 190m 2644 1816 S 0 0.0 0:00.10 polkitd
2263 root 20 0 2042m 2260 2108 S 0 0.0 0:00.08 console-kit-dae
2344 lightdm 20 0 4400 512 508 S 0 0.0 0:00.00 lightdm-greeter
2349 lightdm 20 0 24356 776 324 S 0 0.0 0:00.08 dbus-daemon
2350 lightdm 20 0 614m 15m 4908 S 0 0.2 5:41.47 unity-greeter
2352 lightdm 20 0 339m 1708 1620 S 0 0.0 0:00.00 at-spi-bus-laun
2356 lightdm 20 0 23816 1148 888 S 0 0.0 0:00.00 dbus-daemon
2361 lightdm 20 0 121m 2292 1724 S 0 0.0 0:00.00 at-spi2-registr
2364 lightdm 20 0 48180 1920 1520 S 0 0.0 0:00.00 gvfsd
2366 lightdm 20 0 203m 2064 1560 S 0 0.0 0:00.00 gvfs-fuse-daemo
2373 lightdm 20 0 255m 1880 1388 S 0 0.0 0:00.03 dconf-service
2376 lightdm 20 0 480m 5928 3264 S 0 0.1 0:00.14 gnome-settings-
2384 root 20 0 214m 2880 1928 S 0 0.0 0:00.04 upowerd
2461 colord 20 0 488m 5416 2652 S 0 0.1 0:00.14 colord
2465 root 20 0 76600 1760 1244 S 0 0.0 0:00.00 lightdm
2476 lightdm 20 0 468m 4244 2612 S 0 0.1 0:00.05 indicator-datet
2478 lightdm 20 0 426m 3456 2160 S 0 0.0 0:00.03 indicator-sound
2492 lightdm 9 -11 254m 2048 976 S 0 0.0 0:00.03 pulseaudio
2494 rtkit 21 1 164m 1276 1052 S 0 0.0 0:01.18 rtkit-daemon
2502 lightdm 20 0 47856 2008 1556 S 0 0.0 0:00.00 geoclue-master
2504 lightdm 20 0 53416 2848 1476 S 0 0.0 0:00.30 gconfd-2
2505 lightdm 20 0 95952 1988 1300 S 0 0.0 0:00.00 gconf-helper
2507 lightdm 20 0 324m 3860 2636 S 0 0.0 0:00.04 ubuntu-geoip-pr
2516 lightdm 20 0 583m 3708 2480 S 0 0.0 0:00.03 indicator-sessi
2549 ntp 20 0 39756 2160 1520 S 0 0.0 0:08.56 ntpd
2559 www-data 20 0 177m 3848 2448 S 0 0.0 0:00.38 /usr/sbin/apach
3606 root 20 0 4344 612 508 S 0 0.0 0:00.25 tail
3698 root 20 0 90308 3948 2964 S 0 0.0 0:00.04 sshd
3836 treed 20 0 90308 2156 1172 S 0 0.0 0:04.74 sshd
3837 treed 20 0 27092 8336 1676 S 0 0.1 0:00.50 bash
3951 www-data 20 0 176m 3800 2472 S 0 0.0 0:00.29 /usr/sbin/apach
3959 www-data 20 0 371m 102m 3368 S 0 1.3 2:50.77 ruby
4025 root 20 0 56084 1864 1308 S 0 0.0 0:00.05 sudo
4027 root 20 0 23724 5036 1744 S 0 0.1 0:01.31 bash
5074 www-data 20 0 176m 1680 816 S 0 0.0 0:00.00 /usr/sbin/apach
5133 root 20 0 90164 3932 3036 S 0 0.0 0:00.04 sshd
5423 treed 20 0 90320 2352 1396 S 0 0.0 0:02.26 sshd
5426 treed 20 0 27064 8360 1728 S 0 0.1 0:00.64 bash
5531 treed 20 0 94416 22m 6604 S 0 0.3 0:12.62 wish
8153 root 20 0 156m 58m 1772 S 0 0.8 0:45.30 barnyard2
8214 postfix 20 0 38140 2864 1936 S 0 0.0 0:00.06 tlsmgr
8222 root 20 0 156m 58m 1772 S 0 0.8 0:40.84 barnyard2
8344 root 20 0 42068 6600 2756 S 0 0.1 0:00.42 tclsh
8345 root 20 0 7200 708 600 S 0 0.0 0:00.00 tail
8364 sguil 20 0 540m 223m 10m S 0 2.9 2:50.65 snort
9042 root 20 0 12332 1520 1280 S 0 0.0 0:00.00 bash
9088 root 25 5 268m 81m 64m S 0 1.1 239:33.24 bro
9177 root 20 0 36288 5472 3096 S 0 0.1 0:00.69 tclsh
9216 root 20 0 36292 5440 3104 S 0 0.1 0:00.43 tclsh
9218 root 20 0 7196 608 516 S 0 0.0 0:00.01 tail
13960 postfix 20 0 27172 1528 1252 S 0 0.0 0:00.00 pickup
14277 root 20 0 36292 4924 3104 S 0 0.1 0:01.10 tclsh
14281 root 20 0 7196 536 516 S 0 0.0 0:00.02 tail
14601 root 20 0 35888 4940 3084 S 0 0.1 0:00.20 tclsh
14603 root 20 0 7180 360 280 S 0 0.0 0:00.00 cat
16616 root 20 0 4400 616 512 S 0 0.0 0:00.00 sh
16619 root 20 0 4400 320 216 S 0 0.0 0:00.00 sh
16624 root 20 0 4308 356 276 S 0 0.0 0:00.00 sleep
17360 root 20 0 0 0 0 S 0 0.0 0:00.00 flush-252:0
17362 root 20 0 55852 1884 1460 S 0 0.0 0:00.00 sudo
17363 root 20 0 13744 972 800 S 0 0.0 0:00.00 less
17364 root 20 0 12316 1468 1248 S 0 0.0 0:00.00 sostat
17571 root 20 0 17336 1332 928 R 0 0.0 0:00.01 top
21792 www-data 20 0 176m 3868 2456 S 0 0.0 0:00.26 /usr/sbin/apach
21793 www-data 20 0 177m 3804 2456 S 0 0.0 0:00.35 /usr/sbin/apach
21794 www-data 20 0 176m 3592 2344 S 0 0.0 0:00.29 /usr/sbin/apach
23572 root 20 0 43940 11m 3116 S 0 0.2 8:03.28 tclsh
26199 root 20 0 0 0 0 S 0 0.0 0:05.89 kworker/0:2
26768 www-data 20 0 291m 86m 3436 S 0 1.1 0:07.23 ruby1.9.1
28761 root 20 0 0 0 0 S 0 0.0 0:04.95 kworker/0:1
29441 root 20 0 135m 19m 3884 S 0 0.3 2:01.95 tclsh
29457 root 20 0 121m 3640 916 S 0 0.0 0:00.72 tclsh
29458 root 20 0 121m 3256 540 S 0 0.0 0:00.00 tclsh


=========================================================================
Log Archive
=========================================================================
/nsm/sensor_data/onion-eth1/dailylogs/
60G .
22G ./2013-04-24
30G ./2013-04-25
8.5G ./2013-04-26

/nsm/bro/logs/
600M .
223M ./2013-04-24
309M ./2013-04-25
68M ./2013-04-26
468K ./stats

=========================================================================
IDS Engine (snort) packet drops
=========================================================================
/nsm/sensor_data/onion-eth1/snort-1.stats last reported pkt_drop_percent as 0.000
/nsm/sensor_data/onion-eth1/snort-2.stats last reported pkt_drop_percent as 0.000

=========================================================================
pf_ring stats
=========================================================================
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 2535333
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : snort-cluster-51-socket-0
Tot Packets : 920608
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0
Appl. Name : <unknown>
Tot Packets : 104882535
Tot Pkt Lost : 0
TX: Send Errors : 0
Reflect: Fwd Errors: 0

=========================================================================
Sguil Uncategorized Events
=========================================================================
COUNT(*)
2504

=========================================================================
Sguil events summary for yesterday
=========================================================================
Totals GenID:SigID Signature
839 1:2000328 ET POLICY Outbound Multiple Non-SMTP Server Emails
57 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
Total
896

=========================================================================
Top 50 All time Sguil Events
=========================================================================
Totals GenID:SigID Signature
2247 1:2000328 ET POLICY Outbound Multiple Non-SMTP Server Emails
118 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
Total
2365

=========================================================================
Top 50 URLs for yesterday
=========================================================================
Totals Signature
<urls redacted>

=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals GenID:SigID SignatureName
839 1:2000328 ET POLICY Outbound Multiple Non-SMTP Server Emails
57 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
Total
896

=========================================================================
Top 50 All Time Snorby Events
=========================================================================
Totals GenID:SigID SignatureName
2247 1:2000328 ET POLICY Outbound Multiple Non-SMTP Server Emails
118 1:2003195 ET POLICY Unusual number of DNS No Such Name Responses
Total
2365

--
Tracy Reed

[Doug Burks]

Hi Tracy,

Thanks for sending your sostat output. The only thing that jumps out
at me is that eth1 had 13448 dropped packets, but my guess is that's
not your root issue.

Please retry your sqlmap/nmap/ping tests and send the corresponding
Bro logs from /nsm/bro/logs/current/ and the corresponding tcpdump
output.

Thanks,
Doug

--
Doug Burks
http://securityonion.blogspot.com

[Tracy Reed]

On Fri, Apr 26, 2013 at 04:47:48AM PDT, Doug Burks spake thusly:

> Thanks for sending your sostat output. The only thing that jumps out
> at me is that eth1 had 13448 dropped packets, but my guess is that's
> not your root issue.

Hmm...an issue indeed but perhaps not the root issue. It now says 19216 dropped
packets. So about 500 an hour on average. Not sure why that is...

> Please retry your sqlmap/nmap/ping tests and send the corresponding
> Bro logs from /nsm/bro/logs/current/ and the corresponding tcpdump
> output.

Ok, starting with a simple ICMP test:

So have a ping alerting rule:

# cat /etc/nsm/rules/local.rules

Alert icmp 10.1.1.1 any -> any any (msg:"ICMP"; sid:100002;)

Then we restart everything just to make sure sensors are all running have read
in the new rule...

# nsm_sensor_ps-restart
Restarting: HIDS
* stopping: ossec_agent (sguil) [ OK ]
* starting: ossec_agent (sguil) [ OK ]
Restarting: Bro
stopping bro ...
.
starting bro ...
..
Restarting: onion-eth1
* restarting with overlap: netsniff-ng (full packet data)
* starting: netsniff-ng (full packet data) [ OK ]
- stopping old process: netsniff-ng (full packet data) [ OK ]
* stopping: pcap_agent (sguil) [ OK ]
* starting: pcap_agent (sguil) [ OK ]
* stopping: snort_agent-1 (sguil) [ OK ]
* starting: snort_agent-1 (sguil) [ OK ]
* stopping: snort_agent-2 (sguil) [ OK ]
* starting: snort_agent-2 (sguil) [ OK ]

* stopping: snort-1 (alert data) [ OK ]
* starting: snort-1 (alert data) [ OK ]
* stopping: snort-2 (alert data) [ OK ]
* starting: snort-2 (alert data) [ OK ]

* stopping: barnyard2-1 (spooler, unified2 format) [ OK ]
* starting: barnyard2-1 (spooler, unified2 format) [ OK ]
* stopping: barnyard2-2 (spooler, unified2 format) [ OK ]
* starting: barnyard2-2 (spooler, unified2 format) [ OK ]

* stopping: prads (sessions/assets) [ OK ]
* starting: prads (sessions/assets) [ OK ]
* stopping: pads_agent (sguil) [ OK ]
* starting: pads_agent (sguil) [ OK ]
* stopping: sancp_agent (sguil) [ OK ]
* starting: sancp_agent (sguil) [ OK ]
* stopping: argus [ OK ]
* starting: argus [ OK ]
* stopping: http_agent (sguil) [ OK ]
* starting: http_agent (sguil) [ OK ]

1.2.3.4 is my home machine, 5.6.7.8 is my website (mywebsite.com). I've used
regex search/replace in vim after composing this so the redaction should be
accurate and consistent everywhere so as not to cause confusion.

On my remote home machine pinging my website:

[treed@home ~]$ ping -c 5 mywebsite.com
PING mywebsite.com (5.6.7.8) 56(84) bytes of data.
From mywebsite.com (5.6.7.8) icmp_seq=1 Destination Host Prohibited
From mywebsite.com (5.6.7.8) icmp_seq=2 Destination Host Prohibited
From mywebsite.com (5.6.7.8) icmp_seq=3 Destination Host Prohibited
From mywebsite.com (5.6.7.8) icmp_seq=4 Destination Host Prohibited
From mywebsite.com (5.6.7.8) icmp_seq=5 Destination Host Prohibited

The firewall blocks the pings but the requests and prohibited replies still
show up on the monitor port:

root@onion:/var/log/nsm/onion-eth1# /usr/sbin/tcpdump -n -i eth1 icmp |grep 1.2.3.4
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
21:17:25.906372 IP 1.2.3.4 > 5.6.7.8: ICMP echo request, id 12061, seq 1, length 64
21:17:25.906443 IP 5.6.7.8 > 1.2.3.4: ICMP host 5.6.7.8 unreachable - admin prohibited, length 92
21:17:26.907170 IP 1.2.3.4 > 5.6.7.8: ICMP echo request, id 12061, seq 2, length 64
21:17:26.907214 IP 5.6.7.8 > 1.2.3.4: ICMP host 5.6.7.8 unreachable - admin prohibited, length 92
21:17:27.911945 IP 1.2.3.4 > 5.6.7.8: ICMP echo request, id 12061, seq 3, length 64
21:17:27.912095 IP 5.6.7.8 > 1.2.3.4: ICMP host 5.6.7.8 unreachable - admin prohibited, length 92
21:17:28.918820 IP 1.2.3.4 > 5.6.7.8: ICMP echo request, id 12061, seq 4, length 64
21:17:28.918833 IP 5.6.7.8 > 1.2.3.4: ICMP host 5.6.7.8 unreachable - admin prohibited, length 92
21:17:29.909589 IP 1.2.3.4 > 5.6.7.8: ICMP echo request, id 12061, seq 5, length 64
21:17:29.909628 IP 5.6.7.8 > 1.2.3.4: ICMP host 5.6.7.8 unreachable - admin prohibited, length 92

This should have triggered an alert right? But nothing is showing up in Snorby.

Ah, I grepped for my home and server IPs in the Bro conn.log logs and did in fact find something:

root@onion:/nsm/bro/logs/current# grep 1.2.3.4 conn.log | grep 5.6.7.8
conn.log:1367010576.134627 jHCrko29Zs3 1.2.3.4 8 5.6.7.8 0 icmp - 124.020021 5264 0 OTH F 0 - 94 7896 0 0 (empty) US A1
conn.log:1367010576.134707 rd1HzPdwzMe 5.6.7.8 3 1.2.3.4 10 icmp - 124.020036 7896 0 OTH F 0 - 94 10528 0 0 (empty) A1 US
conn.log:1367010867.557990 eqrsTeXHPxb 1.2.3.4 8 5.6.7.8 0 icmp - 34.558716 1120 0 OTH F 0 - 20 1680 0 0 (empty) US A1
conn.log:1367010867.558123 WLAPGiat4G3 5.6.7.8 3 1.2.3.4 10 icmp - 34.559381 1680 0 OTH F 0 - 20 2240 0 0 (empty) A1 US
conn.log:1367011045.906372 5aqcd7RCc3h 1.2.3.4 8 5.6.7.8 0 icmp - 4.003217 280 0 OTH F 0 - 5 420 0 0 (empty) US A1
conn.log:1367011045.906443 5fZYGGduuLk 5.6.7.8 3 1.2.3.4 10 icmp - 4.003185 420 0 OTH F 0 - 5 560 0 0 (empty) A1 US

I note that there 3 request/response pairs here. Not sure what happened to the other two.

Ok, so I fire off sqlmap at my site:

[treed@home sqlmap-dev]$ ./sqlmap.py -u http://mydomain.com/ --string="JFIF" --dbms=mysql --os=linux --level=5 --risk=2

sqlmap/1.0-dev-0d92145 - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 14:30:53

[14:30:53] [INFO] testing connection to the target URL
[14:30:53] [INFO] testing if the provided string is within the target URL page content
[14:30:54] [INFO] testing if GET parameter 'writer' is dynamic
[14:30:54] [INFO] confirming that GET parameter 'writer' is dynamic
[14:30:54] [INFO] GET parameter 'writer' is dynamic
[14:30:55] [ERROR] possible integer casting detected (e.g. writer=(int)$_REQUEST('writer')) at the back-end web application
do you want to skip those kind of cases (and save scanning time)? [y/N]
[14:31:00] [INFO] testing for SQL injection on GET parameter 'writer'
[14:31:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

And I'm running tcpdump looking only for dst port 80 so as not to catch my ssh
traffic and still get a bunch of http related traffic due to the sqlmap:

root@onion:/nsm/bro/logs/current# /usr/sbin/tcpdump -n -i eth1 src host 1.2.3.4 and dst port 80
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
21:30:53.362205 IP 1.2.3.4.33242 > 5.6.7.8: Flags [S], seq 2804076664, win 5840, options [mss 1368,sackOK,TS val 1903576380 ecr 0,nop,wscale 7], length 0
21:30:53.399672 IP 1.2.3.4.33242 > 5.6.7.8: Flags [.], ack 2806944496, win 46, options [nop,nop,TS val 1903576415 ecr 1989578242], length 0
21:30:53.399787 IP 1.2.3.4.33242 > 5.6.7.8: Flags [P.], seq 0:390, ack 1, win 46, options [nop,nop,TS val 1903576415 ecr 1989578242], length 390
21:30:53.629510 IP 1.2.3.4.33242 > 5.6.7.8: Flags [.], ack 1357, win 69, options [nop,nop,TS val 1903576649 ecr 1989578473], length 0
21:30:53.634117 IP 1.2.3.4.33242 > 5.6.7.8: Flags [.], ack 2713, win 91, options [nop,nop,TS val 1903576649 ecr 1989578473], length 0
21:30:53.634142 IP 1.2.3.4.33242 > 5.6.7.8: Flags [.], ack 3125, win 113, options [nop,nop,TS val 1903576650 ecr 1989578473], length 0
21:30:53.634150 IP 1.2.3.4.33242 > 5.6.7.8: Flags [.], ack 3130, win 113, options [nop,nop,TS val 1903576651 ecr 1989578477], length 0
21:30:53.634158 IP 1.2.3.4.33242 > 5.6.7.8: Flags [F.], seq 390, ack 3130, win 113, options [nop,nop,TS val 1903576651 ecr 1989578477], length 0
<tons more elided>

Bro saw this traffic also:

root@onion:/nsm/bro/logs/current# grep 1.2.3.4 conn.log | grep 5.6.7.8.80
1367011853.362205 qmutD3JqRWl 1.2.3.4 33242 5.6.7.8 80 tcp http 0.271953 390 3129 SF F 0 ShADadfF 9 866 8 3553 (empty) US A1
1367011853.707866 a0znBCnfQJ2 1.2.3.4 33243 5.6.7.8 80 tcp http 0.250237 390 3129 SF F 0 ShADadfF 9 866 8 3553 (empty) US A1
1367011854.039549 eiDNkYN6Pkb 1.2.3.4 33244 5.6.7.8 80 tcp http 0.246536 391 824 SF F 0 ShADadfF 5 659 5 1092 (empty) US A1
1367011854.293629 2I5ZyK1dHP7 1.2.3.4 33245 5.6.7.8 80 tcp http 0.266145 391 824 SF F 0 ShADadfF 5 659 5 1092 (empty) US A1
1367011854.563937 HHgnl1ehidl 1.2.3.4 33246 5.6.7.8 80 tcp http 0.262416 418 3129 SF F 0 ShADadfF 9 894 8 3553 (empty) US A1
1367011854.853610 du5MtLps6rf 1.2.3.4 33247 5.6.7.8 80 tcp http 0.238074 396 824 SF F 0 ShADadfF 5 664 5 1092 (empty) US A1
1367011855.097780 nyFoA8fkgH2 1.2.3.4 33248 5.6.7.8 80 tcp http 0.236277 394 3129 SF F 0 ShADadfF 10 922 9 3605 (empty) US A1
1367011860.258303 C6AGlvODsX2 1.2.3.4 33249 5.6.7.8 80 tcp http 0.522155 413 3129 SF F 0 ShADadfF 9 913 9 4017 (empty) US A1
1367011860.822745 xOkZOm7SOia 1.2.3.4 33250 5.6.7.8 80 tcp http 0.514600 413 3129 SF F 0 ShADadfF 9 913 9 4017 (empty) US A1
1367011861.382545 PVVHv0GOzC7 1.2.3.4 33251 5.6.7.8 80 tcp http 0.246499 413 3129 SF F 0 ShADadfF 9 889 8 3553 (empty) US A1
1367011861.668349 diN9N2lilj 1.2.3.4 33252 5.6.7.8 80 tcp http 0.265026 436 3129 SF F 0 ShADadfF 9 912 8 3553 (empty) US A1
1367011861.962560 LOpP6f1TAI3 1.2.3.4 33253 5.6.7.8 80 tcp http 0.243694 436 3129 SF F 0 ShADadfF 9 912 8 3553 (empty) US A1
1367011862.263190 Mq8PPClumNg 1.2.3.4 33254 5.6.7.8 80 tcp http 0.239412 436 3129 SF F 0 ShADadfF 9 912 8 3553 (empty) US A1

Still nothing in Snorby. I would expect anything with HTTP user-agent of sqlmap
would set off alerts, even with the default ruleset. There are 14 sqlmap
related lines in access_log on the actual webserver which look like:

1.2.3.4 - - [26/Apr/2013:14:30:53 -0700] "GET / HTTP/1.1" 200 2896 "-" "sqlmap/1.0-dev-0d92145 (http://sqlmap.org)"

I can do nmap also if you want but I suspect it will produce more of the same sort of results.

Thoughts?

-
Tracy Reed

[Doug Burks]

Thanks for the detailed output.  I'll look more into this later. I'm on my phone right now so I may be mis-reading this, but is your snort ICMP rule looking for 10.1.1.1?  I don't see that IP in your tcpdump output. 

Thanks,

Doug

[Tracy Reed]

On Fri, Apr 26, 2013 at 03:33:41PM PDT, Doug Burks spake thusly:

> Thanks for the detailed output. I'll look more into this later. I'm on my
> phone right now so I may be mis-reading this, but is your snort ICMP rule
> looking for 10.1.1.1? I don't see that IP in your tcpdump output.

Oops... you are correct! I didn't even notice that when I copied the example. I
have made the rule:

Alert icmp any any -> any any (msg:"ICMP"; sid:100002;)

and restarted. It still does not alert on ICMP.

--
Tracy Reed

[Tracy Reed]

On Fri, Apr 26, 2013 at 05:16:30PM PDT, Tracy Reed spake thusly:

> Oops... you are correct! I didn't even notice that when I copied the example. I
> have made the rule:
>
> Alert icmp any any -> any any (msg:"ICMP"; sid:100002;)
>
> and restarted. It still does not alert on ICMP.

Ah-ha! I checked Snorby after pinging and didn't see anything. But I just
noticed in my email that I am now getting lots of emails with subject "RT Event
From onion-eth1-2" so that's an improvement. Now the questions are:

Why don't these show up in Snorby?

Why don't other rules such as detecting sqlmap seem to be alerting?

I did just get another "ET POLICY Outbound Multiple Non-SMTP Server Emails"
alert in Snorby from a mail sending server which I haven't yet told snort about
so I know some alerts are making it to Snorby.

--
Tracy Reed

[Doug Burks]

On Fri, Apr 26, 2013 at 8:32 PM, Tracy Reed <tr...@ultraviolet.org> wrote:
> Ah-ha! I checked Snorby after pinging and didn't see anything. But I just
> noticed in my email that I am now getting lots of emails with subject "RT Event
> From onion-eth1-2" so that's an improvement.

OK, so you've configured Sguil email alerts. Have you tried logging
into the Sguil client to see if it shows the alerts you're expecting?

> Now the questions are:
>
> Why don't these show up in Snorby?

Are you refreshing the Events page in Snorby?

> Why don't other rules such as detecting sqlmap seem to be alerting?

Please send the relevant lines from the Bro http.log for the sqlmap attempts.

Have you verified that your ruleset has rules to detect sqlmap and
that they are enabled?

Thanks,

[Tracy Reed]

On Fri, Apr 26, 2013 at 07:23:06PM PDT, Doug Burks spake thusly:

> OK, so you've configured Sguil email alerts. Have you tried logging
> into the Sguil client to see if it shows the alerts you're expecting?

Yes. The ICMP alerts are in Sguil but there are no other alerts. Just checked
Snorby again and still no ICMP alerts there.

> > Now the questions are:
> >
> > Why don't these show up in Snorby?
>
> Are you refreshing the Events page in Snorby?

Yes.

> > Why don't other rules such as detecting sqlmap seem to be alerting?
>
> Please send the relevant lines from the Bro http.log for the sqlmap attempts.

Here are a representative few:

/nsm/bro/logs/2013-04-27/http.00:00:00-01:00:00.log:1367022452.395776 hfRt62NDXyc 1.2.3.4 33468 5.6.7.8 80 1 GET mydomain.com /cgi-bin/myfile.cgi?writer=152) WHERE 6032=6032 AND 6796=6796 -- - sqlmap/1.0-dev-0d92145 (http://sqlmap.org) 0 2896 200 OK - - dump.1367022452.csv (empty) - - - image/jpeg - -
/nsm/bro/logs/2013-04-27/http.00:00:00-01:00:00.log:1367022452.675778 bxz8SujhNH1 1.2.3.4 33469 5.6.7.8 80 1 GET mydomain.com /cgi-bin/myfile.cgi?writer=152) WHERE 5082=5082 AND 8477=8336 -- - sqlmap/1.0-dev-0d92145 (http://sqlmap.org) 0 2896 200 OK - - dump.1367022452.csv (empty) - - - image/jpeg - -
/nsm/bro/logs/2013-04-27/http.00:00:00-01:00:00.log:1367022452.961817 UMR0UnBNfKb 1.2.3.4 33470 5.6.7.8 80 1 GET mydomain.com /cgi-bin/myfile.cgi?writer=152 WHERE 2135=2135 AND 1837=2318 -- - sqlmap/1.0-dev-0d92145 (http://sqlmap.org) 0 2896 200 OK - - dump.1367022453.csv (empty) - - - image/jpeg - -
/nsm/bro/logs/2013-04-27/http.00:00:00-01:00:00.log:1367022453.242605 gHXWOglBRRk 1.2.3.4 33471 5.6.7.8 80 1 GET mydomain.com /cgi-bin/myfile.cgi?writer=152 WHERE 7676=7676 AND 6796=6796 -- - sqlmap/1.0-dev-0d92145 (http://sqlmap.org) 0 2896 200 OK - - dump.1367022453.csv (empty) - - - image/jpeg - -

> Have you verified that your ruleset has rules to detect sqlmap and
> that they are enabled?

Hmm...I thought surely the default Snort rules would detect something as common
as sqlmap. Is this incorrect? I'm not sure how to check which rules are
enabled.

While playing around with this tonight I also got an oinkcode so I could use:

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>

and while googling I found and added other rule sources:

rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
rule_url=http://www.bleedingsnort.com/downloads|bleeding.rules.tar.gz|open

But how do I ensure they are actually enabled? And how do I disable
innapropriate signatures? So far I only know how to use threshold.conf to
suppress but that's just hiding the alerts and not disabling the rule, right?

It looks like on SO rules are kept in /etc/nsm/rules. There is a downloaded
rules file which it looks like I could edit to disable rules but it seems this
file is dynamically generated by pulledpork so any changes I make there would
be overwritten. Googling turned up reference to a snort.rules file but SO
doesn't seem to have that.

By grepping in the rules dir I notice that I now have 4 sqlmap related rules in
these two files, three enabled and one commented out (somehow):

root@onion:/etc/nsm/rules# grep -i sqlmap *
downloaded.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SCAN sqlmap SQL injection scan attempt"; flow:to_server,established; content:"User-Agent|3A| sqlmap"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,sqlmap.sourceforge.net; classtype:web-application-activity; sid:19779; rev:4;)
downloaded.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Sqlmap SQL Injection Scan"; flow:to_server,established; content:"User-Agent|3a| sqlmap"; fast_pattern:only; http_header; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,doc.emergingthreats.net/2008538; classtype:attempted-recon; sid:2008538; rev:8;)
downloaded.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:"UNION ALL SELECT NULL, NULL, NULL, NULL"; http_uri; content:"-- AND"; http_uri; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012754; rev:1;)
downloaded.rules:#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:" AND "; http_uri; content:"AND ("; http_uri; pcre:"/\x20AND\x20[0-9]{6}\x3D[0-9]{4}/U"; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012755; rev:3;)
sid-msg.map:19779 || SCAN sqlmap SQL injection scan attempt || url,sqlmap.sourceforge.net
sid-msg.map:2008538 || ET SCAN Sqlmap SQL Injection Scan || url,doc.emergingthreats.net/2008538 || url,sqlmap.sourceforge.net
sid-msg.map:2012754 || ET SCAN Possible SQLMAP Scan || url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/ || url,sqlmap.sourceforge.net
sid-msg.map:2012755 || ET SCAN Possible SQLMAP Scan || url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/ || url,sqlmap.sourceforge.net

I restarted again with nsm_sensor_ps-restart now a sensor fails to restart and
when I look in /var/log/nsm/onion-eth1/snortu-1.log I see:

ERROR: /etc/nsm/rules/downloaded.rules(7617) within (5) is smaller than size of pattern

Trial and error shows that it was:

rule_url=http://www.bleedingsnort.com/downloads|bleeding.rules.tar.gz|open

causing the problem so I'll leave it commented out for now. Grepping
downloaded.rules shows that we still have all of the sqlmap rules mentioned
above without it.

Now I've successfully restarted it again and I am getting several new alerts:

sensitive_data: sensitive data global threshold exceeded
sip: Maximum dialogs in a session reached
http_inspect: LONG HEADER
stream5: Reset outside window
imap: Unknown IMAP4 command

It took a while for the events to show up in the Snorby dashboard after I saw
them in Sguil.

But still no sign of sqlmap. I'm keen on that one in particular because someone
has been sqlmapping my site lately.

--
Tracy Reed

[Tracy Reed]

On Fri, Apr 26, 2013 at 10:31:19PM PDT, Tracy Reed spake thusly:

> But still no sign of sqlmap. I'm keen on that one in particular because someone
> has been sqlmapping my site lately.

FWIW I did just notice the following in my bro logs:

> 2013-04-27-05:18:13 HTTP::SQL_Injection_Attacker 1.2.3.4
Threshold crossed by metric_index(host=1.2.3.4) 50/50
# 1.2.3.4 = myhomemachine.com

> 2013-04-27-05:18:13 HTTP::SQL_Injection_Victim 5.6.7.8
Threshold crossed by metric_index(host=5.6.7.8) 50/50
# 5.6.7.8 = mydomain.com

So at least Bro is aware of the SQL injection happening

Speaking of Bro: I don't see any info on how to suppress Bro alarms. I have a
process which ssh's into my server every 5 minutes and produces an alarm:

> 2013-04-27-05:18:50 SSH::Login 9.10.11.12:60656/tcp -> 5.6.7.8:22/tcp (uid Y2cqjuiTHdl)
Heuristically detected successful SSH login.
# 9.10.11.12 = remotedomain.com 5.6.7.8 = mydomain.com

How can I tell bro that it is ok for this IP to ssh in so it doesn't have to
email me about it all the time? All I can see to do so far is to hard code the
ssh client's IP address into /opt/bro/share/bro/base/protocols/ssh/main.bro as
an exception. I bet there's a better way...

--
Tracy Reed

[Doug Burks]

Have you updated snort.conf with the proper $HOME_NET and $HTTP_SERVERS variables?

Thanks,

Doug

[Tracy Reed]

I have since resolved all of these issues. It seems there were a few things I
needed to do:

1. I hadn't set the variables you mention below. That helped a lot.

2. The default rules that Snort comes with don't seem to detect sql injection
but once I got an oink code and added emerging threats I now seem to have a
reasonably comprehensive rule set.

I'm now getting plenty of alerts. Too many! I have spent the past few days
disabling and suppressing rules to reduce noise.

The next major issue I was having was that despite having put the sid in
thresholds.conf to suppress or, failing that, putting it in disablesids.conf to
completely disable, various rules were still active and alerting like crazy!
It took me a couple of days of working on this problem before I eventually
realized that Snorby was telling me the sid for "BAD-TRAFFIC potential dns
cache poisoning attempt - mismatched txid" is Generator IS 1 and rule 21355. So
I was putting 1:21355 in disablesid.conf and scratching my head as to why I was
still getting alerts. Today I happened to grep for 21355 in
/etc/nsm/rules/so_rules.rules and happened to notice that the correct generator
id is 3! I put 3:21355 in disablesid.conf and the alerts went away. This seems
like a bug in Snorby but I'm not confident enough to declare it as such as I am
still relatively new to Snorby.

I had one other issue with Snorby which was that some time after I had enabled
geoip snorby broke:

Started GET "/events" for 10.0.2.2 at 2013-04-28 09:55:01 +0000
Processing by EventsController#index as HTML
Rendered events/_menu.html.erb (10.0ms)
Rendered events/_menu.html.erb (3.2ms)
Rendered events/_event.html.erb (23.6ms)
Rendered events/_events.html.erb (46.2ms)
Rendered events/index.html.erb within layouts/application (66.3ms)
Completed 500 Internal Server Error in 78ms

ActionView::Template::Error (undefined method `downcase' for nil:NilClass):
25:
26: <% geoip_src = event.ip.geoip[:source] %>
27:
28: <div class='click country_flag add_tipsy_html' original-title='<img class="flag" src="/images/flags/<%= geoip_src[:country_code2].downcase %>.png"> <%= geoip_src[:country_name] %>'><%= geoip_src[:country_code2] %></div>
29:
30: <% end %>
31: <%= event.ip.present? ? event.ip.ip_src : 'N/A' %>
app/views/events/_event.html.erb:28:in `_app_views_events__event_html_erb___534399210180070280_40615560'
app/views/events/_events.html.erb:53:in `block in _app_views_events__events_html_erb__98547838497685700_40485340'
app/views/events/_events.html.erb:3:in `_app_views_events__events_html_erb__98547838497685700_40485340'
app/views/events/index.html.erb:14:in `_app_views_events_index_html_erb__3181455894762037582_40277380'
app/controllers/events_controller.rb:14:in `block (2 levels) in index'
app/controllers/events_controller.rb:13:in `index'

But this only happened when viewing the first page of events. If I manipulated
the url to go to the second page it rendered fine. I went to the admin page and
turned off geoip and the first page worked also. I suspect the geoip lookup for
some IP returned something Snorby didn't like.

As of this evening I have finally eliminated the major false positives bringing
us to an acceptable noise level and classified all of the alerts and in the
process found someone looking for SQL injections and someone brute forcing the
IMAP server!

Thanks for help!

On Sat, Apr 27, 2013 at 04:20:41AM PDT, Doug Burks spake thusly:

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

--
Tracy Reed