Re: [security-onion] SPAN Port Issue
598 views
Skip to first unread message
Doug Burks
Sep 11, 2012, 8:19:31 AM9/11/12
to securit...@googlegroups.com
Hi Saeed,
Your sostat indicates that there were new Snorby events yesteday:
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals SignatureID SignatureName
23 2001329 ET POLICY RDP connection request
23 2001330 ET POLICY RDP connection confirm
11 2100373 GPL ICMP_INFO PING Flowpoint2200 or Network Management Software
11 2100368 GPL ICMP_INFO PING BSDtype
11 2100366 GPL ICMP_INFO PING *NIX
9 2009702 ET POLICY DNS Update From External net
4 2002911 ET SCAN Potential VNC Scan 5900-5920
4 2002910 ET SCAN Potential VNC Scan 5800-5820
3 2012709 ET POLICY MS Remote Desktop Administrator Login Request
2 1390 GPL SHELLCODE x86 inc ebx NOOP
1 2010937 ET POLICY Suspicious inbound to mySQL port 3306
1 2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset
30 Second DoS Attempt
1 2010938 ET POLICY Suspicious inbound to mSQL port 4333
1 2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
1 2101420 GPL SNMP trap tcp
1 2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
1 2010935 ET POLICY Suspicious inbound to MSSQL port 1433
Total
108
What do you see on the Snorby Events page?
Thanks,
Doug
On Tue, Sep 11, 2012 at 7:54 AM, Saeed khan <saee...@gmail.com> wrote:
> Hi,
>
> I am having an issue with SPAN port as installed on Vmware and i can see the traffic on the "eth1" interface but can't see the traffic on Snorby.
>
> Kindly find the attached sostat.txt file.
>
> root@IDS:~# ifconfig
> eth0 Link encap:Ethernet HWaddr 00:0c:29:b6:3b:03
> inet addr:172.16.1.42 Bcast:172.16.1.255 Mask:255.255.255.0
> inet6 addr: fe80::20c:29ff:feb6:3b03/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:12586 errors:0 dropped:0 overruns:0 frame:0
> TX packets:3550 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:1846759 (1.8 MB) TX bytes:949356 (949.3 KB)
> Interrupt:19 Base address:0x2000
>
> eth1 Link encap:Ethernet HWaddr 00:0c:29:b6:3b:0d
> inet6 addr: fe80::20c:29ff:feb6:3b0d/64 Scope:Link
> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:14012284 errors:1853 dropped:2258 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:2254924559 (2.2 GB) TX bytes:0 (0.0 B)
> Interrupt:19 Base address:0x2080
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:1657 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1657 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:294057 (294.0 KB) TX bytes:294057 (294.0 KB)
>
> Kindly help me.
>
> Regards,
>
> Saeed
>
> --
>
>
--
Doug Burks
http://securityonion.blogspot.com
Your sostat indicates that there were new Snorby events yesteday:
=========================================================================
Snorby Events Summary for yesterday
=========================================================================
Totals SignatureID SignatureName
23 2001329 ET POLICY RDP connection request
23 2001330 ET POLICY RDP connection confirm
11 2100373 GPL ICMP_INFO PING Flowpoint2200 or Network Management Software
11 2100368 GPL ICMP_INFO PING BSDtype
11 2100366 GPL ICMP_INFO PING *NIX
9 2009702 ET POLICY DNS Update From External net
4 2002911 ET SCAN Potential VNC Scan 5900-5920
4 2002910 ET SCAN Potential VNC Scan 5800-5820
3 2012709 ET POLICY MS Remote Desktop Administrator Login Request
2 1390 GPL SHELLCODE x86 inc ebx NOOP
1 2010937 ET POLICY Suspicious inbound to mySQL port 3306
1 2014384 ET DOS Microsoft Remote Desktop (RDP) Syn then Reset
30 Second DoS Attempt
1 2010938 ET POLICY Suspicious inbound to mSQL port 4333
1 2010939 ET POLICY Suspicious inbound to PostgreSQL port 5432
1 2101420 GPL SNMP trap tcp
1 2010936 ET POLICY Suspicious inbound to Oracle SQL port 1521
1 2010935 ET POLICY Suspicious inbound to MSSQL port 1433
Total
108
What do you see on the Snorby Events page?
Thanks,
Doug
On Tue, Sep 11, 2012 at 7:54 AM, Saeed khan <saee...@gmail.com> wrote:
> Hi,
>
> I am having an issue with SPAN port as installed on Vmware and i can see the traffic on the "eth1" interface but can't see the traffic on Snorby.
>
> Kindly find the attached sostat.txt file.
>
> root@IDS:~# ifconfig
> eth0 Link encap:Ethernet HWaddr 00:0c:29:b6:3b:03
> inet addr:172.16.1.42 Bcast:172.16.1.255 Mask:255.255.255.0
> inet6 addr: fe80::20c:29ff:feb6:3b03/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:12586 errors:0 dropped:0 overruns:0 frame:0
> TX packets:3550 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:1846759 (1.8 MB) TX bytes:949356 (949.3 KB)
> Interrupt:19 Base address:0x2000
>
> eth1 Link encap:Ethernet HWaddr 00:0c:29:b6:3b:0d
> inet6 addr: fe80::20c:29ff:feb6:3b0d/64 Scope:Link
> UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1
> RX packets:14012284 errors:1853 dropped:2258 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:2254924559 (2.2 GB) TX bytes:0 (0.0 B)
> Interrupt:19 Base address:0x2080
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:1657 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1657 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:294057 (294.0 KB) TX bytes:294057 (294.0 KB)
>
> Kindly help me.
>
> Regards,
>
> Saeed
>
> --
>
>
--
Doug Burks
http://securityonion.blogspot.com
Doug Burks
Sep 11, 2012, 8:54:01 AM9/11/12
to securit...@googlegroups.com
So you're seeing events in Snorby, but not events for eth1? Looks
like when you ran Setup, you only chose to monitor eth0:
Status: securityonion
* sguil server[ OK ]
Status: IDS-eth0
* pcap_agent (sguil)[ OK ]
* sancp_agent (sguil)[ OK ]
* snort_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* snort (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
* sancp (session data)[ OK ]
* pads (asset info)[ OK ]
* daemonlogger (full packet data)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
The easiest solution would be to re-run Setup and choose the
interface(s) you want to monitor. Note that this overwrite any
existing data/configuration.
Hope that helps!
Thanks,
Doug
On Tue, Sep 11, 2012 at 8:44 AM, Saeed khan <saee...@gmail.com> wrote:
> Hi Doug,
>
> Once again thanks for the reply.
>
> The events is not yesterday and events today morning and now few more events.
>
> Find the snapshot.
like when you ran Setup, you only chose to monitor eth0:
Status: securityonion
* sguil server[ OK ]
Status: IDS-eth0
* pcap_agent (sguil)[ OK ]
* sancp_agent (sguil)[ OK ]
* snort_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* snort (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
* sancp (session data)[ OK ]
* pads (asset info)[ OK ]
* daemonlogger (full packet data)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
The easiest solution would be to re-run Setup and choose the
interface(s) you want to monitor. Note that this overwrite any
existing data/configuration.
Hope that helps!
Thanks,
Doug
On Tue, Sep 11, 2012 at 8:44 AM, Saeed khan <saee...@gmail.com> wrote:
> Hi Doug,
>
> Once again thanks for the reply.
>
> The events is not yesterday and events today morning and now few more events.
>
> Find the snapshot.
Reply all
Reply to author
Forward
0 new messages