[Snort-devel] snort 2.0.0: using snort for analysis of binary logs

m.stiefenhofer at ...2049... m.stiefenhofer at ...2049...
Tue Jul 8 01:36:22 EDT 2003


For quite a long time we're using snort in "dual mode": database and 
binary log. The databases are used for ACID, the binary logs for report 
generation and further analysis.
After upgrading to version 2.0.0 some problems appear when using snort for 
later analysis of the binary logs. A lot of alerts can't be reproduced.


 Here's a randomly picked example:

ACID states something like this:

WEB-IIS view source via translate header        2003-07-08 09:54:43 
217.110.173.99:31615        194.55.223.52:80        TCP 
WEB-IIS view source via translate header        2003-07-08 09:55:08 
217.110.173.99:31622        194.55.223.52:80        TCP 
WEB-IIS view source via translate header        2003-07-08 09:55:08 
217.110.173.99:31623        194.55.223.52:80        TCP 
WEB-IIS view source via translate header        2003-07-08 09:55:08 
217.110.173.99:31624        194.55.223.52:80        TCP 
WEB-IIS view source via translate header        2003-07-08 09:55:09 
217.110.173.99:31625        194.55.223.52:80        TCP 
WEB-IIS view source via translate header        2003-07-08 09:55:09 
217.110.173.99:31626        194.55.223.52:80        TCP 
WEB-IIS view source via translate header        2003-07-08 09:57:01 
217.110.173.99:31645        194.55.223.52:80        TCP 
WEB-IIS view source via translate header        2003-07-08 09:57:01 
217.110.173.99:31646        194.55.223.52:80        TCP 
WEB-IIS view source via translate header        2003-07-08 09:57:26 
217.110.173.99:31651        194.55.223.52:80        TCP 
WEB-IIS view source via translate header        2003-07-08 09:57:26 
217.110.173.99:31652        194.55.223.52:80        TCP 
WEB-IIS view source via translate header        2003-07-08 09:57:26 
217.110.173.99:31653        194.55.223.52:80        TCP 
WEB-IIS view source via translate header        2003-07-08 09:57:27 
217.110.173.99:31654        194.55.223.52:80        TCP 
WEB-IIS view source via translate header        2003-07-08 09:57:27 
217.110.173.99:31655        194.55.223.52:80        TCP 
WEB-IIS view source via translate header        2003-07-08 09:58:34 
217.110.173.99:31690        194.55.223.52:80        TCP 


A tcpdump (tcpdump -p -n -r /var/log/snort/alert.bin.1057650642 "host 
217.110.173.99 and tcp") on the according binary-log has the same results:

09:54:43.272328 217.110.173.99.31615 > 194.55.223.52.80: P 
3173628467:3173628685(218) ack 937901112 win 16560 (DF)
09:55:08.352328 217.110.173.99.31622 > 194.55.223.52.80: P 
3180468849:3180469040(191) ack 2155756853 win 16560 (DF)
09:55:08.662328 217.110.173.99.31623 > 194.55.223.52.80: P 
3180598675:3180598890(215) ack 360099789 win 16560 (DF)
09:55:08.832328 217.110.173.99.31624 > 194.55.223.52.80: P 
3180751512:3180751730(218) ack 2286125009 win 16560 (DF)
09:55:09.162328 217.110.173.99.31625 > 194.55.223.52.80: P 
3180941074:3180941289(215) ack 897825796 win 16560 (DF)
09:55:09.302328 217.110.173.99.31626 > 194.55.223.52.80: P 
3181047216:3181047434(218) ack 608445515 win 16560 (DF)
09:57:01.402328 217.110.173.99.31645 > 194.55.223.52.80: P 
3209867526:3209867741(215) ack 2235955609 win 16560 (DF)
09:57:01.522328 217.110.173.99.31646 > 194.55.223.52.80: P 
3210002309:3210002527(218) ack 2083096703 win 16560 (DF)
09:57:26.522328 217.110.173.99.31651 > 194.55.223.52.80: P 
3216503167:3216503358(191) ack 1298843283 win 16560 (DF)
09:57:26.752328 217.110.173.99.31652 > 194.55.223.52.80: P 
3216623679:3216623894(215) ack 1845644974 win 16560 (DF)
09:57:26.872328 217.110.173.99.31653 > 194.55.223.52.80: P 
3216764642:3216764860(218) ack 1273797315 win 16560 (DF)
09:57:27.162328 217.110.173.99.31654 > 194.55.223.52.80: P 
3216952878:3216953093(215) ack 1359635438 win 16560 (DF)
09:57:27.282328 217.110.173.99.31655 > 194.55.223.52.80: P 
3217081075:3217081293(218) ack 2149486595 win 16560 (DF)
09:58:34.942328 217.110.173.99.31690 > 194.55.223.52.80: P 
3234235303:3234235518(215) ack 730194862 win 16560 (DF)


Now I'm using snort to analyze the binary log:

snort -p -r /var/log/snort/alert.bin.1057650642 -c /etc/snort/aris.conf -l 
/tmp/snort/

aris.conf has only one difference to my database.conf - there's no 
database output configured:

hermes:/tmp/snort/217.110.173.99 # diff /etc/snort/aris.conf 
/etc/snort/snort.conf
387c387
< #output database: alert, mysql, user=snort password=kermshur 
dbname=snort host=localhost
---
> output database: alert, mysql, user=snort password=kermshur dbname=snort 
host=localhost



But all the tcp alerts for 217.110.173.99 are missing, there are only ICMP 
alerts:

hermes:/tmp/snort/217.110.173.99 # ls
.  ..  ICMP_ECHO


What am I doing wrong? 


Bye
Marek




More information about the Snort-devel mailing list