[Snort-users] Some packets logging packet data

James Lay jlay at ...13475...
Sat Nov 19 10:35:38 EST 2011


Topic says itŠ.it's very odd:

>From alert.fast:
11/18-17:30:16.073705  [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers
[**] [Classification: Sensitive Data was Transmitted Across the Network]
[Priority: 2] {TCP} 10.0.0.6:58570 -> <snip>:25

>From the unified2 file:
(Event)
        sensor id: 0    event id: 1083  event second: 1321662616
event microsecond: 73705
        sig id: 2       gen id: 138     revision: 1      classification: 35
        priority: 2     ip source: 10.0.0.6     ip destination: <snip>
        src port: 58570 dest port: 25   protocol: 6     impact_flag: 0
blocked: 0

There is no data in the tcpdump file.

Another example:
>From the alert.fastŠinterestingly this entry appears in between an entry
with timestamps of 17:30:28 and 17:36:08:
11/18-16:09:37.800061  [**] [1:13864:5] POLICY Microsoft Watson error
reporting attempt [**] [Classification: Potential Corporate Privacy
Violation] [Priority: 1] {TCP} 10.0.0.164:62377 -> <snip>:80

>From the unified2 file:
(Event)
        sensor id: 0    event id: 1085  event second: 1321657777
event microsecond: 800061
        sig id: 13864   gen id: 1       revision: 5      classification: 33
        priority: 1     ip source: 10.0.0.164   ip destination: 65.55.53.190
        src port: 62377 dest port: 80   protocol: 6     impact_flag: 0
blocked: 0

Nothing in the tcpdump file.

At first I thought it was a pre_proc issue, but now I'm not sureŠ.both of
these events justŠ.have no packet data associated with them.  Any thoughts?
Thank you.

James
















Relevant snort.conf items:

output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: tcpdump.log
output alert_fast: snortalert.fast
output unified2: filename unified




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111119/07f8ce21/attachment.html>


More information about the Snort-users mailing list