[Snort-users] missing pcaps for alerts

John Ives jives at ...15416...
Thu Jun 21 17:29:03 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I know its been 8 months, but I have been able to limp along using
2.9.1.0 (though my VRT subscription has been getting wasted for a
while), so I haven't pressed this issue, but its now reaching the
point where its becoming a real pain.

Additionally, in an effort to see if this was a FreeBSD specific
problem brought up a RHEL 6 box with a very basic snort installation
(configure; make; make install) and tried testing again with the
latest version but still get the same problem.  I have just added the
unified2 output to the snort.conf, and have seen some events (so far I
have found it with sid 1201) in just that last few minutes where the
packet appeared in the unified2 file and not in the pcap.

Any idea what is happening?

John

On 10/25/2011 2:05 PM, John Ives wrote:
> Any word on when devel will be able look into this.  Unlike my
> reading of Eoin's problem, the traffic doesn't appear in the
> unified2 file either (I originally thought it did but upon further
> investigation I am not seeing it in either the pcap or the unified2
> files).
> 
> I have tried upgrading to 2.9.1.2 hoping that would fix the
> problem. At this point I am probably going to need to revert to
> 2.9.1.0 (which worked) to get everything working properly.
> 
> Yours,
> 
> John
> 
> On 10/20/2011 10:50 AM, Joel Esler wrote:
>> Devel is going to look into this, however, they are busy with
>> two big things right now, and when they complete that, I'm sure
>> they'll chime in with some needs to test this out.
> 
>> Thanks
> 
>> -- Joel Esler Senior Research Engineer, VRT OpenSource Community 
>> Manager Sourcefire
> 
> 
>> On Oct 20, 2011, at 1:40 PM, Eoin Miller wrote:
> 
>>> Hey Joel,
>>> 
>>> 
>>> I've been noticing this for a while but kept forgetting to get 
>>> around to looking into it more in depth, I figured it was 
>>> barnyard2 having an issue, but it does appear to be snorts 
>>> logging output. If multiple alerts are firing on the same
>>> frame, Snort doesn't seem to re-log the frame correctly for
>>> multiple alerts:
>>> 
>>> If we have a test set of 3 rules like below: alert tcp any any
>>> -> any any (msg:"MZ 1"; file_data; content:"MZ"; within:2;
>>> sid:1; rev:1;) alert tcp any any -> any any (msg:"MZ 2";
>>> file_data; content:"MZ"; within:2; sid:2; rev:1;) alert tcp any
>>> any -> any any (msg:"MZ 3"; file_data; content:"MZ"; within:2;
>>> sid:3; rev:1;)
>>> 
>>> Now we run them against a PCAP of a user downloading an 
>>> executable file, it alerts 3 times as expected in our fast
>>> alert output log. However, in the unified2 log, we have the
>>> following at the beginning of the file when we run the
>>> u2spewfoo binary against it:
>>> 
>>> ---BEGIN--- (Event) sensor id: 0    event id: 1     event
>>> second: 1319130108        event microsecond: 745191 sig id: 3
>>> gen id: 1       revision: 1      classification: 0 priority: 0
>>> ip source: 71.191.147.210       ip destination: 10.181.188.73
>>> src port: 80    dest port: 64916        protocol: 6
>>> impact_flag: 0 blocked: 0
>>> 
>>> Packet sensor id: 0    event id: 1     event second: 1319130108
>>>  packet second: 1319130108       packet microsecond: 745191 
>>> linktype: 1     packet_length: 1514 00 00 5E 00 01 02 00 10 DB
>>> FF 26 00 08 00 45 00  ..^.......&...E. 05 DC 28 A0 40 00 38 06
>>> 71 EC 47 BF 93 D2 0A B5  ..(. at ...15420... BC 49 00 50 FD 94 2E
>>> 8F 54 A2 FC 56 2E AC 50 10  .I.P....T..V..P. 00 6C C1 9A 00 00
>>> 48 54 54 50 2F 31 2E 31 20 32  .l....HTTP/1.1 2 30 30 20 4F 4B
>>> 0D 0A 44 61 74 65 3A 20 54 68 75  00 OK..Date: Thu 2C 20 32 30
>>> 20 4F 63 74 20 32 30 31 31 20 31 37  , 20 Oct 2011 17 3A 31 34
>>> 3A 30 39 20 47 4D 54 0D 0A 53 65 72 76  :14:09 GMT..Serv 65 72
>>> 3A 20 41 70 61 63 68 65 2F 32 2E 32 2E 31  er: Apache/2.2.1 34
>>> 20 28 55 62 75 6E 74 75 29 0D 0A 4C 61 73 74  4 (Ubuntu)..Last
>>> 2D 4D 6F 64 69 66 69 65 64 3A 20 54 68 75 2C 20  -Modified:
>>> Thu, 31 38 20 41 75 67 20 32 30 31 31 20 30 30 3A 34  18 Aug
>>> 2011 00:4 32 3A 31 33 20 47 4D 54 0D 0A 45 54 61 67 3A 20  2:13
>>> GMT..ETag: 22 31 38 36 36 30 33 2D 34 30 65 30 30 2D 34 61
>>> "186603-40e00-4a 61 62 63 65 32 34 37 30 32 37 66 22 0D 0A 41
>>> 63  abce247027f"..Ac 63 65 70 74 2D 52 61 6E 67 65 73 3A 20 62
>>> 79 74  cept-Ranges: byt 65 73 0D 0A 43 6F 6E 74 65 6E 74 2D 4C
>>> 65 6E 67  es..Content-Leng 74 68 3A 20 32 36 35 37 32 38 0D 0A
>>> 4B 65 65 70  th: 265728..Keep 2D 41 6C 69 76 65 3A 20 74 69 6D
>>> 65 6F 75 74 3D  -Alive: timeout= 31 35 2C 20 6D 61 78 3D 31 30 
>>> 30 0D 0A 43 6F 6E  15, max=100..Con 6E 65 63 74 69 6F 6E 3A 20
>>> 4B 65 65 70 2D 41 6C  nection: Keep-Al 69 76 65 0D 0A 43 6F 6E
>>> 74 65 6E 74 2D 54 79 70  ive..Content-Typ 65 3A 20 61 70 70 6C
>>> 69 63 61 74 69 6F 6E 2F 78  e: application/x 2D 6D 73 64 6F 73
>>> 2D 70 72 6F 67 72 61 6D 0D 0A  -msdos-program.. 0D 0A 4D 5A 90
>>> 00 03 00 00 00 04 00 00 00 FF FF  ..MZ............ 00 00 B8 00
>>> 00 00 00 00 00 00 40 00 00 00 00 00  .......... at ...568... 00 00 00
>>> 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 00 00
>>> 00 00 00 00 00 00 00 00 00 00 00 00 D8 00  ................ 00
>>> 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21  ..........!..L.!
>>> 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E  This program
>>> can 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F  not be run
>>> in DO 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00  S
>>> mode....$..... ---SNIP---
>>> 
>>> 
>>> 
>>> After this alert and packet, there are 11 more subsequent 
>>> packets logged. However, the other two events have NO packets 
>>> with them as we can see below from the end of the output:
>>> 
>>> 
>>> ---SNIP--- E0 8B 00 85 C0 74 02 FF D0 83 45 E0 04 EB E6 C7 
>>> .....t....E..... 45 FC FE FF FF FF E8 20 00 00 E...... ..
>>> 
>>> (Event) sensor id: 0    event id: 2     event second:
>>> 1319130108 event microsecond: 745191 sig id: 2       gen id: 1 
>>> revision: 1      classification: 0 priority: 0     ip source: 
>>> 71.191.147.210       ip destination: 10.181.188.73 src port:
>>> 80 dest port: 64916        protocol: 6     impact_flag: 0
>>> blocked: 0
>>> 
>>> (Event) sensor id: 0    event id: 3     event second:
>>> 1319130108 event microsecond: 745191 sig id: 1       gen id: 1 
>>> revision: 1      classification: 0 priority: 0     ip source: 
>>> 71.191.147.210       ip destination: 10.181.188.73 src port:
>>> 80 dest port: 64916        protocol: 6     impact_flag: 0
>>> blocked: 0 ---END---
>>> 
>>> 
>>> -- Eoin
>>> 
>>> 
> 
> 
> 
>> ------------------------------------------------------------------------------
>
>> 
> 
> The demand for IT networking professionals continues to grow, and
> the
>> demand for specialized networking skills is growing even more 
>> rapidly. Take a complimentary Learning at ...15421... Self-Assessment and 
>> learn about Cisco certifications, training, and career 
>> opportunities. http://p.sf.net/sfu/cisco-dev2dev
> 
> 
> 
>> _______________________________________________ Snort-users
>> mailing list Snort-users at lists.sourceforge.net Go to this URL to
>> change user options or unsubscribe: 
>> https://lists.sourceforge.net/lists/listinfo/snort-users 
>> Snort-users list archive: 
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
>> Please visit http://blog.snort.org to stay current on all the 
>> latest Snort news!
> 
> 
> 
> ------------------------------------------------------------------------------
>
> 
The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more
> rapidly. Take a complimentary Learning at ...15421... Self-Assessment and
> learn about Cisco certifications, training, and career
> opportunities. http://p.sf.net/sfu/cisco-dev2dev 
> _______________________________________________ Snort-users mailing
> list Snort-users at lists.sourceforge.net Go to this URL to change
> user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the
> latest Snort news!
> 

- -- 
- -------------------------------------------------------------------------
John Ives
System & Network Security			    Phone (510) 229-8676
University of California, Berkeley
- -------------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP45IfAAoJEJkidK6qbywsyrEIAI/gdhWunfk1nPPVBv80OeIV
LTy22O5yCQp2YG4J4EtgZDjPuqrkTIiOlcau/SRowhAusQKhqLy6hD2z0/dAMPuF
gvdkFos2Z6ZRzqNzHIEm2N8xjOCD5JEtcbPP823RQqL08g7zfb5JVP8xIQKlqKGW
a7XSpGFwVQqQA4ATa1MT0XajtjcqtVS36NXoGaAtjiU0x5BFQGUHnk7/5YNVXVUB
sWavjUPgDNmqxiGwfwpjt7XvbA1rFR4ZRQ3KmV+afOJLUE3aAYVOos7jDnCyOJuM
IUnxivigOWCEcgI5ti25WMzCeFW13by82I2W8s/L07nHBuBazTVFOpD1j2bDnk0=
=oCYK
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list