Is snort getting data correctly?

2,671 views

Skip to first unread message

Evan Krell

unread,

Sep 4, 2013, 11:38:12 PM9/4/13

to securit...@googlegroups.com

I was assigned the task of integrating a Splunk server on Security Onion in order to have all the logs available to Splunk, as well as make use of the robust SecOnion app for Splunk. Being rather familiar with Splunk, this was easy enough to set up. However, I am not very familiar with Snort, and am unsure if the data I am seeing is what I should be. As in, perhaps I failed to obtain the rules correctly.

I have been running a variety of nmap scans against the SecOnion machine, but the results are rather obtuse and tend to be the same regardless of what scan type I run, such as a basic syn scan, tcp scan, or Christmas scan.

Each time, Snort reports a essentially the same thing:

ET POLICY Suspicious inbound to mySQL port 3306
ET SCAN Potential VNC scan 5900 - 5920
ET POLICY Suspicious inbound to postgreSQL port 5432
ET POLICY Suspicious inbound to Oracle SQL port 1521
ET SCAN Potential VNC scan 5800 - 5820
ET POLICY Suspicious inbound to MSSQL port 1433

I updated the rules with pulledpork using this command:
pulledpork.pl -c /etc/nsm/pulledpork/pulledpork.conf

Are my results typical? Or do I need to do something else to update the Snort rules?

Notes on the set-up:
Both the SecOnion and Kali (for nmap) VMs were set to host only and in the same network during the scans.

Doug Burks

unread,

Sep 6, 2013, 10:45:40 PM9/6/13

to securit...@googlegroups.com

Hi Evan,

Replies inline.

On Wed, Sep 4, 2013 at 11:38 PM, Evan Krell <evana...@gmail.com> wrote:
> I was assigned the task of integrating a Splunk server on Security Onion in order to have all the logs available to Splunk, as well as make use of the robust SecOnion app for Splunk. Being rather familiar with Splunk, this was easy enough to set up. However, I am not very familiar with Snort, and am unsure if the data I am seeing is what I should be. As in, perhaps I failed to obtain the rules correctly.
>
> I have been running a variety of nmap scans against the SecOnion machine, but the results are rather obtuse and tend to be the same regardless of what scan type I run, such as a basic syn scan, tcp scan, or Christmas scan.
>
> Each time, Snort reports a essentially the same thing:
>
> ET POLICY Suspicious inbound to mySQL port 3306
> ET SCAN Potential VNC scan 5900 - 5920
> ET POLICY Suspicious inbound to postgreSQL port 5432
> ET POLICY Suspicious inbound to Oracle SQL port 1521
> ET SCAN Potential VNC scan 5800 - 5820
> ET POLICY Suspicious inbound to MSSQL port 1433

What exactly are you expecting to see?

> I updated the rules with pulledpork using this command:
> pulledpork.pl -c /etc/nsm/pulledpork/pulledpork.conf

Did you restart services after doing this? We recommend running "sudo
rule-update" as it updates rules AND automatically restarts services
as necessary. Plus it's less typing!

--
Doug Burks
http://securityonion.blogspot.com

Reply all

Reply to author

Forward

0 new messages