[Snort-devel] Unified2 logging bug in snort 2.9.4 (Build 40)

Bhagya Bantwal bbantwal at ...402...
Wed Mar 13 18:27:33 EDT 2013


Thank you for reporting this issue. We did recently fix an issue
similar to this. If you send us your pcap and conf, we can confirm
that it is the same issue.

On Wed, Mar 13, 2013 at 9:25 AM,  <elof at ...969...> wrote:
> Hi!
>
> I found a bug in my snort (Version 2.9.4 GRE (Build 40)) and wonder if you
> need more data about it, or if it is already reported or being fixed.
>
> I don't want to waste lots of hours creating a bug report for something that
> is already known... :-)
>
>
>
> Issue:
> snort don't always log the event packet data to unified2, only the event
> itself.
>
>
> Example:
> snort.conf:output unified2: filename snort.unified2
> snort.conf:output alert_fast: snort.alert
>
> Snort logs all events to both snort.alert (ascii) and to unified2.
>
>
> * I start snort (no logfiles exists prior to this)
> * 9 events are triggered
> * I terminate snort
>
> snort.alert show these 9 lines:
> 1 03/12/13-18:29:02.090781  [**] [1:2008066:6]  <mon0> ET USER_AGENTS
> Suspicious Blank User-Agent (descriptor but no string) [**] [Classification:
> A Network Trojan was detected] [Priority: 1] {TCP} 10.100.3.139:57261 ->
> 10.23.16.22:80
> 2 03/12/13-18:30:05.160641  [**] [1:2008066:6]  <mon0> ET USER_AGENTS
> Suspicious Blank User-Agent (descriptor but no string) [**] [Classification:
> A Network Trojan was detected] [Priority: 1] {TCP} 212.188.183.73:56842 ->
> 193.189.143.34:80
> 3 03/12/13-18:30:05.160515  [**] [1:2008066:6]  <mon0> ET USER_AGENTS
> Suspicious Blank User-Agent (descriptor but no string) [**] [Classification:
> A Network Trojan was detected] [Priority: 1] {TCP} 10.100.3.139:57168 ->
> 193.189.143.34:80
> 4 03/12/13-18:31:05.167982  [**] [1:2008066:6]  <mon0> ET USER_AGENTS
> Suspicious Blank User-Agent (descriptor but no string) [**] [Classification:
> A Network Trojan was detected] [Priority: 1] {TCP} 212.188.183.73:56842 ->
> 193.189.143.34:80
> 5 03/12/13-18:31:05.167859  [**] [1:2008066:6]  <mon0> ET USER_AGENTS
> Suspicious Blank User-Agent (descriptor but no string) [**] [Classification:
> A Network Trojan was detected] [Priority: 1] {TCP} 10.100.3.139:57168 ->
> 193.189.143.34:80
> 6 03/12/13-18:32:05.176776  [**] [1:2008066:6]  <mon0> ET USER_AGENTS
> Suspicious Blank User-Agent (descriptor but no string) [**] [Classification:
> A Network Trojan was detected] [Priority: 1] {TCP} 212.188.183.73:56842 ->
> 193.189.143.34:80
> 7 03/12/13-18:32:05.176652  [**] [1:2008066:6]  <mon0> ET USER_AGENTS
> Suspicious Blank User-Agent (descriptor but no string) [**] [Classification:
> A Network Trojan was detected] [Priority: 1] {TCP} 10.100.3.139:57168 ->
> 193.189.143.34:80
> 8 03/12/13-18:35:05.226355  [**] [1:2008066:6]  <mon0> ET USER_AGENTS
> Suspicious Blank User-Agent (descriptor but no string) [**] [Classification:
> A Network Trojan was detected] [Priority: 1] {TCP} 212.188.183.73:60351 ->
> 193.189.143.34:80
> 9 03/12/13-18:35:05.226230  [**] [1:2008066:6]  <mon0> ET USER_AGENTS
> Suspicious Blank User-Agent (descriptor but no string) [**] [Classification:
> A Network Trojan was detected] [Priority: 1] {TCP} 10.100.3.139:57388 ->
> 193.189.143.34:80
>
>
> 'u2spewfoo snort.unified2.1363109305' show this in the unified2 file:
> (Event)
>         sensor id: 0    event id: 1     event second: 1363109342 event
> microsecond: 90781
>         sig id: 2008066 gen id: 1       revision: 6      classification: 21
>         priority: 1     ip source: 10.100.3.139 ip destination: 10.23.16.22
>         src port: 57261 dest port: 80   protocol: 6     impact_flag: 0
> blocked: 0
>
> Packet
>         sensor id: 0    event id: 1     event second: 1363109342
>         packet second: 1363109342       packet microsecond: 90781
>         linktype: 1     packet_length: 415
> [    0] 00 00 5E 00 01 10 3C D9 2B 6A 5D 60 08 00 45 00  ..^...<.+j]`..E.
> [   16] 01 91 18 7C 40 00 80 06 B8 CF 0A 64 03 8B 0A 17  ...|@......d....
> [   32] 10 16 DF AD 00 50 91 5B 61 9C D4 A9 E5 7A 50 18  .....P.[a....zP.
> [   48] 01 04 08 2D 00 00 47 45 54 20 2F 67 6F 2F 68 6F  ...-..GET /go/ho
> [   64] 6D 65 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73  me HTTP/1.1..Hos
> ...snip...
>
> (Event)
>         sensor id: 0    event id: 2     event second: 1363109405 event
> microsecond: 160641
>         sig id: 2008066 gen id: 1       revision: 6      classification: 21
>         priority: 1     ip source: 212.188.183.73       ip destination:
> 193.189.143.34
>         src port: 56842 dest port: 80   protocol: 6     impact_flag: 0
> blocked: 0
>
> (Event)
>         sensor id: 0    event id: 3     event second: 1363109405 event
> microsecond: 160515
>         sig id: 2008066 gen id: 1       revision: 6      classification: 21
>         priority: 1     ip source: 10.100.3.139 ip destination:
> 193.189.143.34
>         src port: 57168 dest port: 80   protocol: 6     impact_flag: 0
> blocked: 0
>
> (Event)
>         sensor id: 0    event id: 4     event second: 1363109465 event
> microsecond: 167982
>         sig id: 2008066 gen id: 1       revision: 6      classification: 21
>         priority: 1     ip source: 212.188.183.73       ip destination:
> 193.189.143.34
>         src port: 56842 dest port: 80   protocol: 6     impact_flag: 0
> blocked: 0
>
> (Event)
>         sensor id: 0    event id: 5     event second: 1363109465 event
> microsecond: 167859
>         sig id: 2008066 gen id: 1       revision: 6      classification: 21
>         priority: 1     ip source: 10.100.3.139 ip destination:
> 193.189.143.34
>         src port: 57168 dest port: 80   protocol: 6     impact_flag: 0
> blocked: 0
>
> (Event)
>         sensor id: 0    event id: 6     event second: 1363109525 event
> microsecond: 176776
>         sig id: 2008066 gen id: 1       revision: 6      classification: 21
>         priority: 1     ip source: 212.188.183.73       ip destination:
> 193.189.143.34
>         src port: 56842 dest port: 80   protocol: 6     impact_flag: 0
> blocked: 0
>
> (Event)
>         sensor id: 0    event id: 7     event second: 1363109525 event
> microsecond: 176652
>         sig id: 2008066 gen id: 1       revision: 6      classification: 21
>         priority: 1     ip source: 10.100.3.139 ip destination:
> 193.189.143.34
>         src port: 57168 dest port: 80   protocol: 6     impact_flag: 0
> blocked: 0
>
> (Event)
>         sensor id: 0    event id: 8     event second: 1363109705 event
> microsecond: 226355
>         sig id: 2008066 gen id: 1       revision: 6      classification: 21
>         priority: 1     ip source: 212.188.183.73       ip destination:
> 193.189.143.34
>         src port: 60351 dest port: 80   protocol: 6     impact_flag: 0
> blocked: 0
>
> Packet
>         sensor id: 0    event id: 8     event second: 1363109705
>         packet second: 1363109705       packet microsecond: 226355
>         linktype: 1     packet_length: 1066
> [    0] 00 00 0C 07 AC 01 90 E2 BA 1A 4B 98 08 00 45 00  ..........K...E.
> [   16] 04 1C 26 5B 40 00 7F 06 F4 9A D4 BC B7 49 C1 BD  ..&[@........I..
> [   32] 8F 22 EB BF 00 50 36 9D 09 53 4E FC 08 31 50 18  ."...P6..SN..1P.
> [   48] 01 00 57 3E 00 00 50 4F 53 54 20 2F 61 70 69 2F  ..W>..POST /api/
> ...snip...
>
> (Event)
>         sensor id: 0    event id: 9     event second: 1363109705 event
> microsecond: 226230
>         sig id: 2008066 gen id: 1       revision: 6      classification: 21
>         priority: 1     ip source: 10.100.3.139 ip destination:
> 193.189.143.34
>         src port: 57388 dest port: 80   protocol: 6     impact_flag: 0
> blocked: 0
>
> Packet
>         sensor id: 0    event id: 9     event second: 1363109705
>         packet second: 1363109705       packet microsecond: 226230
>         linktype: 1     packet_length: 1066
> [    0] 00 00 5E 00 01 10 3C D9 2B 6A 5D 60 08 00 45 00  ..^...<.+j]`..E.
> [   16] 04 1C 26 5B 40 00 80 06 71 B2 0A 64 03 8B C1 BD  ..&[@...q..d....
> [   32] 8F 22 E0 2C 00 50 36 9D 09 53 4E FC 08 31 50 18  .".,.P6..SN..1P.
> [   48] 01 00 E0 E8 00 00 50 4F 53 54 20 2F 61 70 69 2F  ......POST /api/
> ...snip...
>
>
>
> Where did the packet data for events 2-7 go???
> In event 1, 8 and 9 the packet data is logged correctly but events 2-7 have
> no packet data logged even though it is the same signature that trigger.
> Strange!
>
>
>
>
> Having a snort that don't log security events properly is quite bad...
> A 'MAJOR' bug imho.
>
>
> Anyhow, this happen a few times every day, but not in such a manner that I
> can easily tcpdump the traffic and create a test-pcap.
>
> /Elof




More information about the Snort-devel mailing list