[Snort-users] snort is logging alerts but not capturing corresponding packets for some rules

Joel Esler jesler at ...1935...
Tue Apr 26 19:07:21 EDT 2011


What you should do is output to unified, then use barnyard or something to
output to tcpdump format.

Joel

On Tue, Apr 26, 2011 at 6:25 PM, Kumar, Mahendra <mkumar at ...15250...> wrote:

> Hi Joel,
>
> Can I capture packets in tcpdump mode in snort.log and simultaneously in
> unified format in some other file? If yes, how can I do that so that I can
> compare and see if the packets missing from snort.log (tcpdump) are in fact
> logged in unified format.
>
> Thanks
>
>
>
> *From:* Joel Esler [mailto:jesler at ...1935...]
> *Sent:* Tuesday, April 26, 2011 10:49 AM
> *To:* Agustin Roca
> *Cc:* snort-users at lists.sourceforge.net; Jason Brvenik
>
> *Subject:* Re: [Snort-users] snort is logging alerts but not capturing
> corresponding packets for some rules
>
>
>
> -A cmg on the command line as the alert method.
>
> On Tue, Apr 26, 2011 at 1:48 PM, Agustin Roca <agustin.roca at ...15205...>
> wrote:
>
> Nice explanation Joel. Which snort flag/option can i use to see the *Stream
> reassembled packet* info?
>
> 2011/4/26 Joel Esler <jesler at ...1935...>
>
> Actually, Jason is right.  The alert is generated on the pseudo packet,
> this is correct functionality, so I've closed the bug.
>
>
>
> So, James, using the pcap you gave me, I'll get rid of the IPs in the cut
> and paste here, but I'll make BOLD the line that indicates that the alert is
> actually on the pseudo packet, and not the individual packet.
>
>
>
> snort -c snort.conf -r missed.pcap -A cmg -q
>
>
>
> 04/26-10:37:43.307954  [**] [1:12280:3] WEB-CLIENT Microsoft Internet
> Explorer VML source file memory corruption attempt [**] [Classification:
> Attempted User Privilege Gain] [Priority: 1] {TCP} x.x.x.x:80 ->
> x.x.x.x:31390
>
> *Stream reassembled packet*
>
>
>
> Above, where is says "Stream reassembled packet" is your indication that
> the alert was not in fact on one packet, but on the reassembly of the
> packets.  We call this the pseudo packet.
>
>
>
> If you output from Snort in Unified format, you have access to these
> packets.
>
>
>
> J
>
>
>
>
>
> On Tue, Apr 26, 2011 at 1:09 PM, Lay, James <james.lay at ...15009...>
> wrote:
>
> Thanks for the response Jason…I ended up working with Joel on this and he
> has put in a bug fix.  Thanks again.
>
>
>
> James
>
>
>
> *From:* Jason Brvenik [mailto:jbrvenik at ...1935...]
> *Sent:* Monday, April 25, 2011 5:14 PM
> *To:* Lay, James; Kumar, Mahendra
> *Subject:* Re: [Snort-users] snort is logging alerts but not capturing
> corresponding packets for some rules
>
>
>
> I would suspect that the event fires on pseudo packets, reassembled or
> normalized traffic. Can you enable unified2 and see if it is also missing
> there.
>
> On Apr 25, 2011 6:58 PM, "Lay, James" <james.lay at ...15009...> wrote:
> >
> >
> > From: Kumar, Mahendra [mailto:mkumar at ...15250...]
> > Sent: Monday, April 25, 2011 3:50 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] snort is logging alerts but not capturing
> > corresponding packets for some rules
> >
> >
> >
> > Hi,
> >
> >
> >
> > I am using snort-2.9.0.5 with daq-0.5-9 and libpcap1-1.1.1-9 on Centos
> > 5.5 (x86_64). I am not using any other thing like unified2, base,
> > barnyard, mysql etc.
> >
> > My snort is working properly and I am getting alerts and packet captures
> > in snort.log in tcpdump format.
> >
> > But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged but
> > there is no packet capture in snort.log and it is very consistent
> > behavior, i.e. I will never get packet captures for some of the rules
> > but will always get alert so it is not a packet drop problem. It seems
> > to be a config issue where the alert is logged but no packet captures.
> >
> > Please help me resolve this issue.
> >
> >
> >
> > Thanks,
> >
> > MK
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Welcome to my world...I've submitted this exact same item a few
> > times....seems to be a mystery. I have snort boxes in a few different
> > sites on a few different OS's....same thing though...I get the alert in
> > the .fast file, but certain things just do not log to the pcap. I've
> > had to work around this with full web traffic packet captures. The
> > machines aren't even close to maxing CPU or memory, but the problem
> > still persists. If anyone has some advice I'd love to hear it.
> >
> >
> >
> > James
> >
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> --
> Agustin Roca
> Information Security Team
> agustin.roca at ...15205...
> work: 54+(011) 4109.1700 ext. 8098
> cel: 54+(011)15-5022-3042
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110426/6c8ab067/attachment.html>


More information about the Snort-users mailing list