Nessus Scanner Crashes Logstash Syslog Inputs


#1

Hi everyone,

I'm not sure where/how to file a bug report - but we have a nessus scanner running on our network that sends garbage to tcp/udp ports it discovers to find exploits.

When this happens, it kills the logstash listeners with no real descriptive error:

{:timestamp=>"2016-02-08T05:05:07.472000-0700", :message=>"syslog listener died", :protocol=>:udp, :address=>"XXX.XXX.XXX.XXX:514", :exception=>#<SocketError: recvfrom: name or service not known>, :backtrace=>["C:/logstash-2.1.1/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-2.0.2/lib/logstash/inputs/syslog.rb:138:in `udp_listener'", "C:/logstash-2.1.1/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-2.0.2/lib/logstash/inputs/syslog.rb:117:in `server'", "C:/logstash-2.1.1/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-2.0.2/lib/logstash/inputs/syslog.rb:97:in `run'"], :level=>:warn}
{:timestamp=>"2016-02-08T05:05:07.472000-0700", :message=>"syslog listener died", :protocol=>:udp, :address=>"XXX.XXX.XXX.XXX:515", :exception=>#<SocketError: recvfrom: name or service not known>, :backtrace=>["C:/logstash-2.1.1/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-2.0.2/lib/logstash/inputs/syslog.rb:138:in `udp_listener'", "C:/logstash-2.1.1/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-2.0.2/lib/logstash/inputs/syslog.rb:117:in `server'", "C:/logstash-2.1.1/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-2.0.2/lib/logstash/inputs/syslog.rb:97:in `run'"], :level=>:warn}

I managed to grab a couple of strings that nessus is sending to the sockets, and it looks like it's sending unicode chars in an attempt to run arbitrary code. I don't believe that these particular strings are what's killing the listeners, and are only examples of the types of garbage that nessus is writing to the sockets. I would be happy to help track this down, if I can get some guidance on figuring out exactly what is making the listeners die.

\u0002lp\n
\u0004\fTOB\n
\u0004nessus-1454933147 \n

Input config:

input {
	syslog {
		host => "XXX.XXX.XXX.XXX"
		codec => plain { charset => "CP1252" }
		port => 514
		type => "syslog1"
	}
  
 	syslog {
		host => "XXX.XXX.XXX.XXX"
		port => 515
		type => "syslog2"
	}
}

(Magnus B├Ąck) #2

There have been a number of similar reports (e.g. the issue below) and I don't think what you see has much to do with the payload that Nessus sends. The Logstash team should try to get to the bottom of this.


(system) #3