[Snort-users] snort is logging alerts but not capturing corresponding packets for some rules

Joel Esler jesler at ...1935...
Tue Apr 26 13:49:09 EDT 2011


-A cmg on the command line as the alert method.

On Tue, Apr 26, 2011 at 1:48 PM, Agustin Roca <agustin.roca at ...15205...>wrote:

> Nice explanation Joel. Which snort flag/option can i use to see the *Stream
> reassembled packet* info?
>
>
> 2011/4/26 Joel Esler <jesler at ...1935...>
>
>> Actually, Jason is right.  The alert is generated on the pseudo packet,
>> this is correct functionality, so I've closed the bug.
>>
>> So, James, using the pcap you gave me, I'll get rid of the IPs in the cut
>> and paste here, but I'll make BOLD the line that indicates that the alert is
>> actually on the pseudo packet, and not the individual packet.
>>
>> snort -c snort.conf -r missed.pcap -A cmg -q
>>
>> 04/26-10:37:43.307954  [**] [1:12280:3] WEB-CLIENT Microsoft Internet
>> Explorer VML source file memory corruption attempt [**] [Classification:
>> Attempted User Privilege Gain] [Priority: 1] {TCP} x.x.x.x:80 ->
>> x.x.x.x:31390
>> *Stream reassembled packet*
>>
>> Above, where is says "Stream reassembled packet" is your indication that
>> the alert was not in fact on one packet, but on the reassembly of the
>> packets.  We call this the pseudo packet.
>>
>> If you output from Snort in Unified format, you have access to these
>> packets.
>>
>> J
>>
>>
>>
>> On Tue, Apr 26, 2011 at 1:09 PM, Lay, James <james.lay at ...15009...>wrote:
>>
>>> Thanks for the response Jason…I ended up working with Joel on this and he
>>> has put in a bug fix.  Thanks again.
>>>
>>>
>>>
>>> James
>>>
>>>
>>>
>>> *From:* Jason Brvenik [mailto:jbrvenik at ...1935...]
>>> *Sent:* Monday, April 25, 2011 5:14 PM
>>> *To:* Lay, James; Kumar, Mahendra
>>> *Subject:* Re: [Snort-users] snort is logging alerts but not capturing
>>> corresponding packets for some rules
>>>
>>>
>>>
>>> I would suspect that the event fires on pseudo packets, reassembled or
>>> normalized traffic. Can you enable unified2 and see if it is also missing
>>> there.
>>>
>>> On Apr 25, 2011 6:58 PM, "Lay, James" <james.lay at ...15009...> wrote:
>>> >
>>> >
>>> > From: Kumar, Mahendra [mailto:mkumar at ...15250...]
>>> > Sent: Monday, April 25, 2011 3:50 PM
>>> > To: snort-users at lists.sourceforge.net
>>> > Subject: [Snort-users] snort is logging alerts but not capturing
>>> > corresponding packets for some rules
>>> >
>>> >
>>> >
>>> > Hi,
>>> >
>>> >
>>> >
>>> > I am using snort-2.9.0.5 with daq-0.5-9 and libpcap1-1.1.1-9 on Centos
>>> > 5.5 (x86_64). I am not using any other thing like unified2, base,
>>> > barnyard, mysql etc.
>>> >
>>> > My snort is working properly and I am getting alerts and packet
>>> captures
>>> > in snort.log in tcpdump format.
>>> >
>>> > But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged but
>>> > there is no packet capture in snort.log and it is very consistent
>>> > behavior, i.e. I will never get packet captures for some of the rules
>>> > but will always get alert so it is not a packet drop problem. It seems
>>> > to be a config issue where the alert is logged but no packet captures.
>>> >
>>> > Please help me resolve this issue.
>>> >
>>> >
>>> >
>>> > Thanks,
>>> >
>>> > MK
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > Welcome to my world...I've submitted this exact same item a few
>>> > times....seems to be a mystery. I have snort boxes in a few different
>>> > sites on a few different OS's....same thing though...I get the alert in
>>> > the .fast file, but certain things just do not log to the pcap. I've
>>> > had to work around this with full web traffic packet captures. The
>>> > machines aren't even close to maxing CPU or memory, but the problem
>>> > still persists. If anyone has some advice I'd love to hear it.
>>> >
>>> >
>>> >
>>> > James
>>> >
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today.  Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
> --
> Agustin Roca
> Information Security Team
> agustin.roca at ...15205...
> work: 54+(011) 4109.1700 ext. 8098
> cel: 54+(011)15-5022-3042
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110426/ed998e09/attachment.html>


More information about the Snort-users mailing list