[Snort-devel] ruletype declaration breaks u2 output for log_uri/log_hostname (with testcase)

Martijn van Oosterhout kleptog at ...2499...
Wed Jun 11 12:01:24 EDT 2014


Hi,

I sent the following message to bugs at ...835... but got no response. I'm
posting it here in the hope it saves someone a few days trying to work out
why a documented feature doesn't work. I've done some tracing with gdb and
reading of the code but I can't for the life of me figure out how the mere
existence of an additional output plugin that is never used can change the
behaviour of the logging of extra data.

Perhaps someone here has some ideas?

Have a nice day,

---------- Forwarded message ----------

When analysing alerts on HTTP streams it is be useful to have access to the
URI and hostname, so the log_uri and log_hostname options sounded really
nice. However, when I tried to get them working I couldn't. Eventually I
narrowed it down to the presence of the unified output inside a custom
ruletype declaration.

With the declaration there is no output in the u2 file. Commenting out the
declaration makes the extra data appear in the u2 file.

Snort version: 2.9.6.0, but appears to affect older versions as well
Rules: 1 test rule
Built from source, ./configure --enable-debug
Configuration is attached.
Platform: Ubuntu 14.04.

Basically, the snort.conf looks as follows:

---
ruletype alert_testing {
  type alert
#  output unified2: filename snort.testing.u2, limit 128
  output alert_fast: testing.fast_alert
}
include classification.config
include reference.config
include variables.config

alert tcp any any -> any any (msg:"WEB-MISC /~root access";
flow:to_server,established;  uricontent:"/~root"; nocase; metadata:service
http; classtype:attempted-recon; sid:22000049; rev:8;)
---
Variables.conf and pcap are attached. The classification.conf and
reference.conf are standard. Note that the ruletype is not actually used
anywhere, just it being there is enough.

Testing is as follows:

# /usr/local/bin/snort -c /tmp/conf2/snort.conf -l  /tmp -k none -r
/tmp/b.pcap

As is the rule matches and the /tmp/snort.u2.* file contains the following
using u2spewfoo
---
(ExtraDataHdr)
        event type: 4   event length: 39

(ExtraData)
        sensor id: 0    event id: 1     event second: 1401805955
        type: 9 datatype: 1     bloblength: 15  HTTP URI: /~root/

(ExtraDataHdr)
        event type: 4   event length: 44

(ExtraData)
        sensor id: 0    event id: 1     event second: 1401805955
        type: 10        datatype: 1     bloblength: 20  HTTP Hostname:
slashdot.org
---

Uncomment the line in the ruletype declaration and the alert still fires
but without extra data.

Thanks in advance.

-- 
Martijn van Oosterhout <kleptog at ...2499...> http://svana.org/kleptog/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140611/38796348/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 406 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140611/38796348/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: variables.config
Type: application/octet-stream
Size: 950 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140611/38796348/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: b.pcap
Type: application/force-download
Size: 52325 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140611/38796348/attachment.bin>


More information about the Snort-devel mailing list