[Snort-users] missing pcaps for alerts

Joel Esler jesler at ...1935...
Thu Jun 21 20:24:06 EDT 2012


Okay.  Now I understand.  Yes, some logging changes were made that have
been fixed over the past couple of versions.

The next version (coming soon) is 2.9.3.0, where the problem should be
completely fixed.

On Thu, Jun 21, 2012 at 8:19 PM, John Ives <jives at ...15416...>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> My mistake, you would probably have to go back to the original
> messages in the thread to understand.
>
> The problem is that when I run anything past 2.9.1.0 the packets that
> caused some alerts (and it is consistent for some signatures) are not
> recorded in the tcpdump file. When I have used the unified2 format
> sometimes the packets appear in the merge file, but not always. This
> has happened using snort on FreeBSD with the snort coming from both
> ports and hand installed and on RHEL 6.
>
> Since I use a gigamon to replicate the traffic I can run two copies of
> snort on two different boxes and with the same traffic and rules and
> compare the results. I have tried several upgrades past 2.9.1.0 now
> and this seems to happen consistently. The signatures that have
> problems have been both VRT and ET sigs.
>
> John
>
> On 6/21/2012 5:08 PM, Joel Esler wrote:
> > John,
> >
> > I've read your email three times and i am still not sure what you
> > are asking.  I'd love to help.
> >
> > On Thu, Jun 21, 2012 at 5:29 PM, John Ives
> > <jives at ...15416...>wrote:
> >
> > I know its been 8 months, but I have been able to limp along using
> > 2.9.1.0 (though my VRT subscription has been getting wasted for a
> > while), so I haven't pressed this issue, but its now reaching the
> > point where its becoming a real pain.
> >
> > Additionally, in an effort to see if this was a FreeBSD specific
> > problem brought up a RHEL 6 box with a very basic snort
> > installation (configure; make; make install) and tried testing
> > again with the latest version but still get the same problem.  I
> > have just added the unified2 output to the snort.conf, and have
> > seen some events (so far I have found it with sid 1201) in just
> > that last few minutes where the packet appeared in the unified2
> > file and not in the pcap.
> >
> > Any idea what is happening?
> >
> > John
> >
> > On 10/25/2011 2:05 PM, John Ives wrote:
> >>>> Any word on when devel will be able look into this.  Unlike
> >>>> my reading of Eoin's problem, the traffic doesn't appear in
> >>>> the unified2 file either (I originally thought it did but
> >>>> upon further investigation I am not seeing it in either the
> >>>> pcap or the unified2 files).
> >>>>
> >>>> I have tried upgrading to 2.9.1.2 hoping that would fix the
> >>>> problem. At this point I am probably going to need to revert
> >>>> to 2.9.1.0 (which worked) to get everything working
> >>>> properly.
> >>>>
> >>>> Yours,
> >>>>
> >>>> John
> >>>>
> >>>> On 10/20/2011 10:50 AM, Joel Esler wrote:
> >>>>> Devel is going to look into this, however, they are busy
> >>>>> with two big things right now, and when they complete that,
> >>>>> I'm sure they'll chime in with some needs to test this
> >>>>> out.
> >>>>
> >>>>> Thanks
> >>>>
> >>>>> -- Joel Esler Senior Research Engineer, VRT OpenSource
> >>>>> Community Manager Sourcefire
> >>>>
> >>>>
> >>>>> On Oct 20, 2011, at 1:40 PM, Eoin Miller wrote:
> >>>>
> >>>>>> Hey Joel,
> >>>>>>
> >>>>>>
> >>>>>> I've been noticing this for a while but kept forgetting
> >>>>>> to get around to looking into it more in depth, I figured
> >>>>>> it was barnyard2 having an issue, but it does appear to
> >>>>>> be snorts logging output. If multiple alerts are firing
> >>>>>> on the same frame, Snort doesn't seem to re-log the frame
> >>>>>> correctly for multiple alerts:
> >>>>>>
> >>>>>> If we have a test set of 3 rules like below: alert tcp
> >>>>>> any any -> any any (msg:"MZ 1"; file_data; content:"MZ";
> >>>>>> within:2; sid:1; rev:1;) alert tcp any any -> any any
> >>>>>> (msg:"MZ 2"; file_data; content:"MZ"; within:2; sid:2;
> >>>>>> rev:1;) alert tcp any any -> any any (msg:"MZ 3";
> >>>>>> file_data; content:"MZ"; within:2; sid:3; rev:1;)
> >>>>>>
> >>>>>> Now we run them against a PCAP of a user downloading an
> >>>>>> executable file, it alerts 3 times as expected in our
> >>>>>> fast alert output log. However, in the unified2 log, we
> >>>>>> have the following at the beginning of the file when we
> >>>>>> run the u2spewfoo binary against it:
> >>>>>>
> >>>>>> ---BEGIN--- (Event) sensor id: 0    event id: 1
> >>>>>> event second: 1319130108        event microsecond: 745191
> >>>>>> sig id: 3 gen id: 1       revision: 1
> >>>>>> classification: 0 priority: 0 ip source: 71.191.147.210
> >>>>>> ip destination: 10.181.188.73 src port: 80    dest port:
> >>>>>> 64916        protocol: 6 impact_flag: 0 blocked: 0
> >>>>>>
> >>>>>> Packet sensor id: 0    event id: 1     event second:
> >>>>>> 1319130108 packet second: 1319130108       packet
> >>>>>> microsecond: 745191 linktype: 1     packet_length: 1514
> >>>>>> 00 00 5E 00 01 02 00 10 DB FF 26 00 08 00 45 00
> >>>>>> ..^.......&...E. 05 DC 28 A0 40 00 38 06 71 EC 47 BF 93
> >>>>>> D2 0A B5  ..(. at ...15420... BC 49 00 50 FD 94 2E 8F 54 A2
> >>>>>> FC 56 2E AC 50 10  .I.P....T..V..P. 00 6C C1 9A 00 00 48
> >>>>>> 54 54 50 2F 31 2E 31 20 32  .l....HTTP/1.1 2 30 30 20 4F
> >>>>>> 4B 0D 0A 44 61 74 65 3A 20 54 68 75  00 OK..Date: Thu 2C
> >>>>>> 20 32 30 20 4F 63 74 20 32 30 31 31 20 31 37  , 20 Oct
> >>>>>> 2011 17 3A 31 34 3A 30 39 20 47 4D 54 0D 0A 53 65 72 76
> >>>>>> :14:09 GMT..Serv 65 72 3A 20 41 70 61 63 68 65 2F 32 2E
> >>>>>> 32 2E 31  er: Apache/2.2.1 34 20 28 55 62 75 6E 74 75 29
> >>>>>> 0D 0A 4C 61 73 74  4 (Ubuntu)..Last 2D 4D 6F 64 69 66 69
> >>>>>> 65 64 3A 20 54 68 75 2C 20  -Modified: Thu, 31 38 20 41
> >>>>>> 75 67 20 32 30 31 31 20 30 30 3A 34  18 Aug 2011 00:4 32
> >>>>>> 3A 31 33 20 47 4D 54 0D 0A 45 54 61 67 3A 20  2:13
> >>>>>> GMT..ETag: 22 31 38 36 36 30 33 2D 34 30 65 30 30 2D 34
> >>>>>> 61 "186603-40e00-4a 61 62 63 65 32 34 37 30 32 37 66 22
> >>>>>> 0D 0A 41 63  abce247027f"..Ac 63 65 70 74 2D 52 61 6E 67
> >>>>>> 65 73 3A 20 62 79 74  cept-Ranges: byt 65 73 0D 0A 43 6F
> >>>>>> 6E 74 65 6E 74 2D 4C 65 6E 67  es..Content-Leng 74 68 3A
> >>>>>> 20 32 36 35 37 32 38 0D 0A 4B 65 65 70  th: 265728..Keep
> >>>>>> 2D 41 6C 69 76 65 3A 20 74 69 6D 65 6F 75 74 3D  -Alive:
> >>>>>> timeout= 31 35 2C 20 6D 61 78 3D 31 30 30 0D 0A 43 6F 6E
> >>>>>> 15, max=100..Con 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70
> >>>>>> 2D 41 6C  nection: Keep-Al 69 76 65 0D 0A 43 6F 6E 74 65
> >>>>>> 6E 74 2D 54 79 70  ive..Content-Typ 65 3A 20 61 70 70 6C
> >>>>>> 69 63 61 74 69 6F 6E 2F 78  e: application/x 2D 6D 73 64
> >>>>>> 6F 73 2D 70 72 6F 67 72 61 6D 0D 0A  -msdos-program.. 0D
> >>>>>> 0A 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF
> >>>>>> ..MZ............ 00 00 B8 00 00 00 00 00 00 00 40 00 00
> >>>>>> 00 00 00  .......... at ...568... 00 00 00 00 00 00 00 00 00 00
> >>>>>> 00 00 00 00 00 00  ................ 00 00 00 00 00 00 00
> >>>>>> 00 00 00 00 00 00 00 D8 00  ................ 00 00 0E 1F
> >>>>>> BA 0E 00 B4 09 CD 21 B8 01 4C CD 21  ..........!..L.! 54
> >>>>>> 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E  This
> >>>>>> program can 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44
> >>>>>> 4F  not be run in DO 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00
> >>>>>> 00 00 00 00  S mode....$..... ---SNIP---
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> After this alert and packet, there are 11 more
> >>>>>> subsequent packets logged. However, the other two events
> >>>>>> have NO packets with them as we can see below from the
> >>>>>> end of the output:
> >>>>>>
> >>>>>>
> >>>>>> ---SNIP--- E0 8B 00 85 C0 74 02 FF D0 83 45 E0 04 EB E6
> >>>>>> C7 .....t....E..... 45 FC FE FF FF FF E8 20 00 00 E......
> >>>>>> ..
> >>>>>>
> >>>>>> (Event) sensor id: 0    event id: 2     event second:
> >>>>>> 1319130108 event microsecond: 745191 sig id: 2       gen
> >>>>>> id: 1 revision: 1      classification: 0 priority: 0
> >>>>>> ip source: 71.191.147.210       ip destination:
> >>>>>> 10.181.188.73 src port: 80 dest port: 64916
> >>>>>> protocol: 6     impact_flag: 0 blocked: 0
> >>>>>>
> >>>>>> (Event) sensor id: 0    event id: 3     event second:
> >>>>>> 1319130108 event microsecond: 745191 sig id: 1       gen
> >>>>>> id: 1 revision: 1      classification: 0 priority: 0
> >>>>>> ip source: 71.191.147.210       ip destination:
> >>>>>> 10.181.188.73 src port: 80 dest port: 64916
> >>>>>> protocol: 6     impact_flag: 0 blocked: 0 ---END---
> >>>>>>
> >>>>>>
> >>>>>> -- Eoin
> >>>>>>
> >>>>>>
> >>>>
> >>>>
> >>>>
> >>>>>
> >
> ------------------------------------------------------------------------------
> >>>>
> >>>>>
> >>>>
> >>>>
> >
> The demand for IT networking professionals continues to grow, and
> >>>> the
> >>>>> demand for specialized networking skills is growing even
> >>>>> more rapidly. Take a complimentary Learning at ...15421...
> >>>>> Self-Assessment and learn about Cisco certifications,
> >>>>> training, and career opportunities.
> >>>>> http://p.sf.net/sfu/cisco-dev2dev
> >>>>
> >>>>
> >>>>
> >>>>> _______________________________________________
> >>>>> Snort-users mailing list Snort-users at lists.sourceforge.net
> >>>>> Go to this URL to change user options or unsubscribe:
> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>>> Snort-users list archive:
> >>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>
> >>>>> Please visit http://blog.snort.org to stay current on all
> >>>>> the latest Snort news!
> >>>>
> >>>>
> >>>>
> >>>>
> >
> ------------------------------------------------------------------------------
> >>>>
> >>>>
> >
> >
> The demand for IT networking professionals continues to grow, and the
> >>>> demand for specialized networking skills is growing even
> >>>> more rapidly. Take a complimentary Learning at ...15421...
> >>>> Self-Assessment and learn about Cisco certifications,
> >>>> training, and career opportunities.
> >>>> http://p.sf.net/sfu/cisco-dev2dev
> >>>> _______________________________________________ Snort-users
> >>>> mailing list Snort-users at lists.sourceforge.net Go to this URL
> >>>> to change user options or unsubscribe:
> >>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>> Snort-users list archive:
> >>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>
> >>>> Please visit http://blog.snort.org to stay current on all
> >>>> the latest Snort news!
> >>>>
> >
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >>
> >>
> Live Security Virtual Conference
> >> Exclusive live event will cover all the ways today's security
> >> and threat landscape has changed and how IT managers can respond.
> >> Discussions will include endpoint security, mobile security and
> >> the latest in malware threats.
> >> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >> _______________________________________________ Snort-users
> >> mailing list Snort-users at lists.sourceforge.net Go to this URL to
> >> change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the
> >> latest Snort news!
> >>
> >
> >
> >
>
> - --
> - -------------------------------------------------------------------------
> John Ives
> System & Network Security                           Phone (510) 229-8676
> University of California, Berkeley
> - -------------------------------------------------------------------------
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP47oRAAoJEJkidK6qbywsYs8H/AnmKDG0bKUTYpeAFGGHkTAC
> MDuXdcbWxWZ506XSqCKNtivKCOTrsEHGeUyx+wcsu9xUZ7REUYFGskBA4HnDwRSl
> /TbQWtCcd/kbcLlljkG718494lU3d8fNVDAEg+CfxkuOXPWc9IEP3SDGM7q8wJxl
> j1poa+BdCUADdg5Eo8WlhmFBroVcjVuA6/JevAzOjNZ6chc3iGDyvrHk16+7M3uE
> 44Plgt2FpzDaHo6fyT9AU8FSzUwhePi/kw4NS4Cb8CyeX+Uq902uZFi6VzjECKJj
> Qtq6OA2IH/fgsC1VrtCPoROf0aA1w/Z1le1b4dp8iy2Se2BPzNPzEveplWOv9A4=
> =cdge
> -----END PGP SIGNATURE-----
>



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120621/27f79c3f/attachment.html>


More information about the Snort-users mailing list