[Snort-users] missing pcaps for alerts

Joel Esler jesler at ...1935...
Thu Jun 21 20:08:59 EDT 2012


John,

I've read your email three times and i am still not sure what you are
asking.  I'd love to help.

On Thu, Jun 21, 2012 at 5:29 PM, John Ives <jives at ...15416...>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I know its been 8 months, but I have been able to limp along using
> 2.9.1.0 (though my VRT subscription has been getting wasted for a
> while), so I haven't pressed this issue, but its now reaching the
> point where its becoming a real pain.
>
> Additionally, in an effort to see if this was a FreeBSD specific
> problem brought up a RHEL 6 box with a very basic snort installation
> (configure; make; make install) and tried testing again with the
> latest version but still get the same problem.  I have just added the
> unified2 output to the snort.conf, and have seen some events (so far I
> have found it with sid 1201) in just that last few minutes where the
> packet appeared in the unified2 file and not in the pcap.
>
> Any idea what is happening?
>
> John
>
> On 10/25/2011 2:05 PM, John Ives wrote:
> > Any word on when devel will be able look into this.  Unlike my
> > reading of Eoin's problem, the traffic doesn't appear in the
> > unified2 file either (I originally thought it did but upon further
> > investigation I am not seeing it in either the pcap or the unified2
> > files).
> >
> > I have tried upgrading to 2.9.1.2 hoping that would fix the
> > problem. At this point I am probably going to need to revert to
> > 2.9.1.0 (which worked) to get everything working properly.
> >
> > Yours,
> >
> > John
> >
> > On 10/20/2011 10:50 AM, Joel Esler wrote:
> >> Devel is going to look into this, however, they are busy with
> >> two big things right now, and when they complete that, I'm sure
> >> they'll chime in with some needs to test this out.
> >
> >> Thanks
> >
> >> -- Joel Esler Senior Research Engineer, VRT OpenSource Community
> >> Manager Sourcefire
> >
> >
> >> On Oct 20, 2011, at 1:40 PM, Eoin Miller wrote:
> >
> >>> Hey Joel,
> >>>
> >>>
> >>> I've been noticing this for a while but kept forgetting to get
> >>> around to looking into it more in depth, I figured it was
> >>> barnyard2 having an issue, but it does appear to be snorts
> >>> logging output. If multiple alerts are firing on the same
> >>> frame, Snort doesn't seem to re-log the frame correctly for
> >>> multiple alerts:
> >>>
> >>> If we have a test set of 3 rules like below: alert tcp any any
> >>> -> any any (msg:"MZ 1"; file_data; content:"MZ"; within:2;
> >>> sid:1; rev:1;) alert tcp any any -> any any (msg:"MZ 2";
> >>> file_data; content:"MZ"; within:2; sid:2; rev:1;) alert tcp any
> >>> any -> any any (msg:"MZ 3"; file_data; content:"MZ"; within:2;
> >>> sid:3; rev:1;)
> >>>
> >>> Now we run them against a PCAP of a user downloading an
> >>> executable file, it alerts 3 times as expected in our fast
> >>> alert output log. However, in the unified2 log, we have the
> >>> following at the beginning of the file when we run the
> >>> u2spewfoo binary against it:
> >>>
> >>> ---BEGIN--- (Event) sensor id: 0    event id: 1     event
> >>> second: 1319130108        event microsecond: 745191 sig id: 3
> >>> gen id: 1       revision: 1      classification: 0 priority: 0
> >>> ip source: 71.191.147.210       ip destination: 10.181.188.73
> >>> src port: 80    dest port: 64916        protocol: 6
> >>> impact_flag: 0 blocked: 0
> >>>
> >>> Packet sensor id: 0    event id: 1     event second: 1319130108
> >>>  packet second: 1319130108       packet microsecond: 745191
> >>> linktype: 1     packet_length: 1514 00 00 5E 00 01 02 00 10 DB
> >>> FF 26 00 08 00 45 00  ..^.......&...E. 05 DC 28 A0 40 00 38 06
> >>> 71 EC 47 BF 93 D2 0A B5  ..(. at ...15420... BC 49 00 50 FD 94 2E
> >>> 8F 54 A2 FC 56 2E AC 50 10  .I.P....T..V..P. 00 6C C1 9A 00 00
> >>> 48 54 54 50 2F 31 2E 31 20 32  .l....HTTP/1.1 2 30 30 20 4F 4B
> >>> 0D 0A 44 61 74 65 3A 20 54 68 75  00 OK..Date: Thu 2C 20 32 30
> >>> 20 4F 63 74 20 32 30 31 31 20 31 37  , 20 Oct 2011 17 3A 31 34
> >>> 3A 30 39 20 47 4D 54 0D 0A 53 65 72 76  :14:09 GMT..Serv 65 72
> >>> 3A 20 41 70 61 63 68 65 2F 32 2E 32 2E 31  er: Apache/2.2.1 34
> >>> 20 28 55 62 75 6E 74 75 29 0D 0A 4C 61 73 74  4 (Ubuntu)..Last
> >>> 2D 4D 6F 64 69 66 69 65 64 3A 20 54 68 75 2C 20  -Modified:
> >>> Thu, 31 38 20 41 75 67 20 32 30 31 31 20 30 30 3A 34  18 Aug
> >>> 2011 00:4 32 3A 31 33 20 47 4D 54 0D 0A 45 54 61 67 3A 20  2:13
> >>> GMT..ETag: 22 31 38 36 36 30 33 2D 34 30 65 30 30 2D 34 61
> >>> "186603-40e00-4a 61 62 63 65 32 34 37 30 32 37 66 22 0D 0A 41
> >>> 63  abce247027f"..Ac 63 65 70 74 2D 52 61 6E 67 65 73 3A 20 62
> >>> 79 74  cept-Ranges: byt 65 73 0D 0A 43 6F 6E 74 65 6E 74 2D 4C
> >>> 65 6E 67  es..Content-Leng 74 68 3A 20 32 36 35 37 32 38 0D 0A
> >>> 4B 65 65 70  th: 265728..Keep 2D 41 6C 69 76 65 3A 20 74 69 6D
> >>> 65 6F 75 74 3D  -Alive: timeout= 31 35 2C 20 6D 61 78 3D 31 30
> >>> 30 0D 0A 43 6F 6E  15, max=100..Con 6E 65 63 74 69 6F 6E 3A 20
> >>> 4B 65 65 70 2D 41 6C  nection: Keep-Al 69 76 65 0D 0A 43 6F 6E
> >>> 74 65 6E 74 2D 54 79 70  ive..Content-Typ 65 3A 20 61 70 70 6C
> >>> 69 63 61 74 69 6F 6E 2F 78  e: application/x 2D 6D 73 64 6F 73
> >>> 2D 70 72 6F 67 72 61 6D 0D 0A  -msdos-program.. 0D 0A 4D 5A 90
> >>> 00 03 00 00 00 04 00 00 00 FF FF  ..MZ............ 00 00 B8 00
> >>> 00 00 00 00 00 00 40 00 00 00 00 00  .......... at ...568... 00 00 00
> >>> 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ 00 00
> >>> 00 00 00 00 00 00 00 00 00 00 00 00 D8 00  ................ 00
> >>> 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21  ..........!..L.!
> >>> 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E  This program
> >>> can 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F  not be run
> >>> in DO 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00  S
> >>> mode....$..... ---SNIP---
> >>>
> >>>
> >>>
> >>> After this alert and packet, there are 11 more subsequent
> >>> packets logged. However, the other two events have NO packets
> >>> with them as we can see below from the end of the output:
> >>>
> >>>
> >>> ---SNIP--- E0 8B 00 85 C0 74 02 FF D0 83 45 E0 04 EB E6 C7
> >>> .....t....E..... 45 FC FE FF FF FF E8 20 00 00 E...... ..
> >>>
> >>> (Event) sensor id: 0    event id: 2     event second:
> >>> 1319130108 event microsecond: 745191 sig id: 2       gen id: 1
> >>> revision: 1      classification: 0 priority: 0     ip source:
> >>> 71.191.147.210       ip destination: 10.181.188.73 src port:
> >>> 80 dest port: 64916        protocol: 6     impact_flag: 0
> >>> blocked: 0
> >>>
> >>> (Event) sensor id: 0    event id: 3     event second:
> >>> 1319130108 event microsecond: 745191 sig id: 1       gen id: 1
> >>> revision: 1      classification: 0 priority: 0     ip source:
> >>> 71.191.147.210       ip destination: 10.181.188.73 src port:
> >>> 80 dest port: 64916        protocol: 6     impact_flag: 0
> >>> blocked: 0 ---END---
> >>>
> >>>
> >>> -- Eoin
> >>>
> >>>
> >
> >
> >
> >>
> ------------------------------------------------------------------------------
> >
> >>
> >
> > The demand for IT networking professionals continues to grow, and
> > the
> >> demand for specialized networking skills is growing even more
> >> rapidly. Take a complimentary Learning at ...15421... Self-Assessment and
> >> learn about Cisco certifications, training, and career
> >> opportunities. http://p.sf.net/sfu/cisco-dev2dev
> >
> >
> >
> >> _______________________________________________ Snort-users
> >> mailing list Snort-users at lists.sourceforge.net Go to this URL to
> >> change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >> Please visit http://blog.snort.org to stay current on all the
> >> latest Snort news!
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> The demand for IT networking professionals continues to grow, and the
> > demand for specialized networking skills is growing even more
> > rapidly. Take a complimentary Learning at ...15421... Self-Assessment and
> > learn about Cisco certifications, training, and career
> > opportunities. http://p.sf.net/sfu/cisco-dev2dev
> > _______________________________________________ Snort-users mailing
> > list Snort-users at lists.sourceforge.net Go to this URL to change
> > user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the
> > latest Snort news!
> >
>
> - --
> - -------------------------------------------------------------------------
> John Ives
> System & Network Security                           Phone (510) 229-8676
> University of California, Berkeley
> - -------------------------------------------------------------------------
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP45IfAAoJEJkidK6qbywsyrEIAI/gdhWunfk1nPPVBv80OeIV
> LTy22O5yCQp2YG4J4EtgZDjPuqrkTIiOlcau/SRowhAusQKhqLy6hD2z0/dAMPuF
> gvdkFos2Z6ZRzqNzHIEm2N8xjOCD5JEtcbPP823RQqL08g7zfb5JVP8xIQKlqKGW
> a7XSpGFwVQqQA4ATa1MT0XajtjcqtVS36NXoGaAtjiU0x5BFQGUHnk7/5YNVXVUB
> sWavjUPgDNmqxiGwfwpjt7XvbA1rFR4ZRQ3KmV+afOJLUE3aAYVOos7jDnCyOJuM
> IUnxivigOWCEcgI5ti25WMzCeFW13by82I2W8s/L07nHBuBazTVFOpD1j2bDnk0=
> =oCYK
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120621/44b59bff/attachment.html>


More information about the Snort-users mailing list