[Snort-users] barnyard2-1.10 major problem

Lawrence R. Hughes, Sr. lhughes at ...14822...
Wed Oct 24 12:03:17 EDT 2012


Here is our reponse to Firnsy:

----- Original Message ----- 
From: "Lawrence R. Hughes, Sr." <lhughes at ...14822...>
To: "firnsy" <firnsy at ...14568...>
Cc: "safwat fahmy" <safwat.fahmy at ...14822...>
Sent: Monday, October 22, 2012 12:08 PM
Subject: Re: barnyard2-1.10 build 310


> Hi Firnsy,
>
> Not sure what you wanted me to do with u2_anon (packaged as a windows zip
> w/src code)
> Can't compile windows srource code.
>
> We made the change you suggested (Increase CACHED_EVENTS_MAX )
>
> This did not help!!
>
> I am attaching the org. snort unified2 file and you will see one event 
> with
> 2 packets,
> however by2 only inserted the first packet and this happened after we
> modified by2 as you suggested.
>
> Thanks,
> Larry
>
>
>
>
>> On Fri, Oct 19, 2012 at 6:45 PM, firnsy <firnsy at ...14568...> wrote:>
>> Mate,
>>
>> Hum how large is your unified2 file? i think what happening is that you
>> are
>> hitting cache maximum.
>> In src/spooler.c change line 44 #define CACHED_EVENTS_MAX 256
>>
>> and set it to 1024 or even 2048.
>>
>> I am under the impression that what is happening is that the packet you
>> are
>> mentionning is hitting the cache limit and when the cache get recycled,
>> your
>> packet is logged since its hitting an orphan event.
>>
>> If that dosen't work i would appreciate if you can use u2_anon ->
>> https://github.com/binf/u2_anon
>>
>> And send us your unified2 file.
>>
>> But for the record change that have been done in the database output
>> plugin
>> shouldn't affect how stream packets get logged.
>>
>> Let us know how it goes.
>>
>> -elz
>>
>>
>>>
>>> -------- Forwarded Message --------
>>>> From: Lawrence R. Hughes, Sr. <lhughes at ...14822...>
>>>> To: firnsy <firnsy at ...14568...>
>>>> Cc: safwat fahmy <safwat.fahmy at ...14822...>
>>>> Subject: Re: barnyard2-1.10 build 310
>>>> Date: Fri, 19 Oct 2012 14:12:39 -0400
>>>>
>>>> We are still having a problem with barnyard2-1.10 inserting the
>>>> packets into
>>>> mysql:
>>>>
>>>> Here is an event from snorts unified2 logfile decoded with u2spewfoo:
>>>>
>>>> (Event)
>>>>         sensor id: 0    event id: 13    event second: 1350640282
>>>> event microsecond: 285798
>>>>         sig id: 2007728 gen id: 1       revision: 7 
>>>> classification:
>> 21
>>>>         priority: 1     ip source: 209.243.55.105       ip destination:
>>>> 178.77.103.54
>>>>         src port: 26343 dest port: 8080 protocol: 6     impact_flag: 0
>>>> blocked: 0
>>>>
>>>> Packet
>>>>         sensor id: 0    event id: 13    event second: 1350640282
>>>>         packet second: 1350640282       packet microsecond: 285798
>>>>         linktype: 1     packet_length: 371
>>>> [    0] 00 00 0C 07 AC 00 00 0E 84 EB 44 80 08 00 45 00
>>>> ..........D...E.
>>>> [   16] 01 65 73 44 40 00 40 06 A3 6E D1 F3 37 69 B2 4D
>>>> .esD at ...843...@..n..7i.M
>>>> [   32] 67 36 66 E7 1F 90 55 CF 83 69 F0 57 AF 89 50 18
>>>> g6f...U..i.W..P.
>>>> [   48] 01 02 8D 8E 00 00 50 4F 53 54 20 2F 69 6E 64 65  ......POST
>>>> /inde
>>>> [   64] 78 2E 70 68 70 20 48 54 54 50 2F 31 2E 31 0D 0A  x.php
>>>> HTTP/1.1..
>>>> [   80] 48 6F 73 74 3A 20 31 37 38 2E 37 37 2E 31 30 33  Host:
>>>> 178.77.103
>>>> [   96] 2E 35 34 3A 38 30 38 30 3A 38 30 0D 0A 55 73 65
>>>> .54:8080:80..Use
>>>> [  112] 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61  r-Agent:
>>>> Mozilla [  128] 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65  /4.0
>>>> (compatible [  144] 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64
>>>> ; MSIE 6.0; Wind [  160] 6F 77 73 20 4E 54 20 36 2E 31 3B 20 53 56 31 
>>>> 3B
>> ows NT 6.1; SV1;
>>>> [  176] 20 2E 4E 45 54 20 43 4C 52 20 31 2E 31 2E 34 37   .NET CLR
>>>> 1.1.47
>>>> [  192] 37 37 29 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A  77)..Accept:
>>>> */* [  208] 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67
>>>> ..Accept-Languag [  224] 65 3A 20 65 6E 2D 67 62 0D 0A 41 63 63 65 70
>>>> 74  e: en-gb..Accept [  240] 2D 45 6E 63 6F 64 69 6E 67 3A 20 64 65
>>>> 66 6C 61  -Encoding: defla [  256] 74 65 0D 0A 43 61 63 68 65 2D 43
>>>> 6F 6E 74 72 6F  te..Cache-Contro [  272] 6C 3A 20 6E 6F 2D 63 61 63
>>>> 68 65 0D 0A 43 6F 6E  l: no-cache..Con [  288] 74 65 6E 74 2D 54 79
>>>> 70 65 3A 20 6D 75 6C 74 69  tent-Type: multi [  304] 70 61 72 74 2F
>>>> 66 6F 72 6D 2D 64 61 74 61 3B 20  part/form-data; [  320] 62 6F 75 6E
>>>> 64 61 72 79 3D 31 42 45 46 30 41 35  boundary=1BEF0A5 [  336] 37 42
>>>> 45 31 31 30 46 44 34 36 37 41 0D 0A 43 6F  7BE110FD467A..Co [  352] 6E
>>>> 74
>> 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 38 35  ntent-Length: 85
>>>> [  368] 31 0D 0A                                         1..
>>>>
>>>> Packet
>>>>         sensor id: 0    event id: 13    event second: 1350640282
>>>>         packet second: 1350640282       packet microsecond: 402773
>>>>         linktype: 1     packet_length: 907
>>>> [    0] 00 00 0C 07 AC 00 00 0E 84 EB 44 80 08 00 45 00
>>>> ..........D...E.
>>>> [   16] 03 7D 73 45 40 00 40 06 A1 55 D1 F3 37 69 B2 4D
>>>> .}sE at ...843...@..U..7i.M
>>>> [   32] 67 36 66 E7 1F 90 55 CF 84 A6 F0 57 AF 89 50 18
>>>> g6f...U....W..P.
>>>> [   48] 01 02 DA BE 00 00 0D 0A 2D 2D 31 42 45 46 30 41
>>>> ........--1BEF0A
>>>> [   64] 35 37 42 45 31 31 30 46 44 34 36 37 41 0D 0A 43
>>>> 57BE110FD467A..C
>>>> [   80] 6F 6E 74 65 6E 74 2D 44 69 73 70 6F 73 69 74 69
>>>> ontent-Dispositi
>>>> [   96] 6F 6E 3A 20 66 6F 72 6D 2D 64 61 74 61 3B 20 6E  on: form-data;
>>>> n
>>>> [  112] 61 6D 65 3D 22 73 69 64 22 0D 0A 0D 0A 35 35 36
>>>> ame="sid"....556 [  128] 31 31 33 35 35 31 31 34 32 31 32 36 35 0D 0A
>>>> 2D  1135511421265..- [  144] 2D 31 42 45 46 30 41 35 37 42 45 31 31
>>>> 30 46 44  -1BEF0A57BE110FD [  160] 34 36 37 41 0D 0A 43 6F 6E 74 65
>>>> 6E 74 2D 44 69  467A..Content-Di [  176] 73 70 6F 73 69 74 69 6F 6E
>>>> 3A 20 66 6F 72 6D 2D  sposition: form- [  192] 64 61 74 61 3B 20 6E 61
>>>> 6D
>> 65 3D 22 75 70 22 0D  data; name="up".
>>>> [  208] 0A 0D 0A 38 36 31 31 34 33 36 31 0D 0A 2D 2D 31
>>>> ...86114361..--1 [  224] 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34
>>>> 36  BEF0A57BE110FD46 [  240] 37 41 0D 0A 43 6F 6E 74 65 6E 74 2D 44
>>>> 69 73 70  7A..Content-Disp [  256] 6F 73 69 74 69 6F 6E 3A 20 66 6F
>>>> 72 6D 2D 64 61  osition: form-da [  272] 74 61 3B 20 6E 61 6D 65 3D 22
>>>> 77
>> 62 66 6C 22 0D  ta; name="wbfl".
>>>> [  288] 0A 0D 0A 31 0D 0A 2D 2D 31 42 45 46 30 41 35 37
>>>> ...1..--1BEF0A57 [  304] 42 45 31 31 30 46 44 34 36 37 41 0D 0A 43 6F
>>>> 6E  BE110FD467A..Con [  320] 74 65 6E 74 2D 44 69 73 70 6F 73 69 74
>>>> 69 6F 6E  tent-Disposition [  336] 3A 20 66 6F 72 6D 2D 64 61 74 61
>>>> 3B 20 6E 61 6D  : form-data; nam [  352] 65 3D 22 76 22 0D 0A 0D 0A
>>>> 31 37 38 0D 0A 2D 2D  e="v"....178..-- [  368] 31 42 45 46 30 41 35
>>>> 37 42 45 31 31 30 46 44 34  1BEF0A57BE110FD4 [  384] 36 37 41 0D 0A
>>>> 43 6F 6E 74 65 6E 74 2D 44 69 73  67A..Content-Dis [  400] 70 6F 73
>>>> 69 74 69 6F 6E 3A 20 66 6F 72 6D 2D 64  position: form-d [  416] 61 74
>>>> 61
>> 3B 20 6E 61 6D 65 3D 22 70 69 6E 67 22  ata; name="ping"
>>>> [  432] 0D 0A 0D 0A 38 33 32 0D 0A 2D 2D 31 42 45 46 30
>>>> ....832..--1BEF0 [  448] 41 35 37 42 45 31 31 30 46 44 34 36 37 41 0D 
>>>> 0A
>> A57BE110FD467A..
>>>> [  464] 43 6F 6E 74 65 6E 74 2D 44 69 73 70 6F 73 69 74
>>>> Content-Disposit [  480] 69 6F 6E 3A 20 66 6F 72 6D 2D 64 61 74 61 3B
>>>> 20  ion: form-data; [  496] 6E 61 6D 65 3D 22 67 75 69 64 22 0D 0A 0D
>>>> 0A 7B  name="guid"....{ [  512] 44 41 35 36 45 35 43 30 2D 32 30 34
>>>> 37 2D 34 30  DA56E5C0-2047-40 [  528] 46 38 2D 42 32 42 44 2D 46 37
>>>> 42 44 30 35 43 35  F8-B2BD-F7BD05C5 [  544] 32 38 36 31 7D 0D 0A 2D
>>>> 2D 31 42 45 46 30 41 35  2861}..--1BEF0A5 [  560] 37 42 45 31 31 30
>>>> 46 44 34 36 37 41 0D 0A 43 6F  7BE110FD467A..Co [  576] 6E 74 65 6E
>>>> 74 2D 44 69 73 70 6F 73 69 74 69 6F  ntent-Dispositio [  592] 6E 3A
>>>> 20 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61  n: form-data; na [  608]
>>>> 6D 65 3D 22 77 76 22 0D 0A 0D 0A 36 23 32 23 31  me="wv"....6#2#1 [
>>>> 624] 23 30 23 37 36 30 31 23 36 34 32 0D 0A 2D 2D 31
>>>> #0#7601#642..--1 [  640] 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34
>>>> 36  BEF0A57BE110FD46 [  656] 37 41 0D 0A 43 6F 6E 74 65 6E 74 2D 44
>>>> 69 73 70  7A..Content-Disp [  672] 6F 73 69 74 69 6F 6E 3A 20 66 6F 72
>>>> 6D
>> 2D 64 61  osition: form-da [  688] 74 61 3B 20 6E 61 6D 65 3D 22 6D 73 22
>> 0D
>> 0A 0D  ta; name="ms"...
>>>> [  704] 0A 30 3A 30 3A 30 3A 30 3A 30 3A 30 3A 30 3A 30
>>>> .0:0:0:0:0:0:0:0 [  720] 3A 30 3A 30 3A 30 3A 30 3A 30 3A 30 3A 30 3A
>>>> 30  :0:0:0:0:0:0:0:0 [  736] 3A 30 0D 0A 2D 2D 31 42 45 46 30 41 35
>>>> 37 42 45  :0..--1BEF0A57BE [  752] 31 31 30 46 44 34 36 37 41 0D 0A
>>>> 43 6F 6E 74 65  110FD467A..Conte [  768] 6E 74 2D 44 69 73 70 6F 73 69
>>>> 74
>> 69 6F 6E 3A 20  nt-Disposition:
>>>> [  784] 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D  form-data;
>>>> name= [  800] 22 73 72 22 0D 0A 0D 0A 30 0D 0A 2D 2D 31 42 45
>>>> "sr"....0..--1BE [  816] 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37
>>>> 41  F0A57BE110FD467A [  832] 0D 0A 43 6F 6E 74 65 6E 74 2D 44 69 73
>>>> 70 6F 73  ..Content-Dispos [  848] 69 74 69 6F 6E 3A 20 66 6F 72 6D
>>>> 2D 64 61 74 61  ition: form-data [  864] 3B 20 6E 61 6D 65 3D 22 61
>>>> 72 22 0D 0A 0D 0A 30  ; name="ar"....0 [  880] 0D 0A 2D 2D 31 42 45 46
>>>> 30
>> 41 35 37 42 45 31 31  ..--1BEF0A57BE11
>>>> [  896] 30 46 44 34 36 37 41 2D 2D 0D 0A                 0FD467A--..
>>>>
>>>> Barnyard2-1.10 only inserted the first packet shown above into the
>>>> snort.data table??
>>>>
>>>> What happen to the second packet?? We are not using tagged packets
>>>>
>>>> We are in a heap of trouble here because we can't show in the payload
>>>> where the markers were for the rule that fired the event??
>>>>
>>>> I have your source open and ready to patch..
>>>>
>>>>
>>>> Thanks,
>>>> Larry
>>>>
>>>>
>>>>
>>>>
>>>> ----- Original Message -----
>>>> From: "firnsy" <firnsy at ...14568...>
>>>> To: "Lawrence R. Hughes, Sr." <lhughes at ...14822...>
>>>> Cc: <beenph at ...15893...>; "safwat fahmy" <safwat.fahmy at ...14822...>
>>>> Sent: Thursday, October 04, 2012 7:02 AM
>>>> Subject: Re: barnyard2-1.10 build 310
>>>>
>>>>
>>>> > On Wed, 2012-10-03 at 13:44 -0400, Lawrence R. Hughes, Sr. wrote:
>>>> >> Hi Firnsy,
>>>> >
>>>> > G'day Larry,
>>>> >
>>>> >> We are having problems with this build, it appears you are not
>>>> >> inserting all the packets that were in the snort unified2 log file..
>>>> >> We checked the snort2.9.3.1 unified2 log file with u2spewfoo and
>>>> >> the event packets were there,  but never got inserted into the
>>>> >> mysql data table only the first packet???
>>>> >
>>>> > Are you talking about tagged packets? If so you're also saying that
>>>> > tagged packets used to be appended in 2-1.9 and are no longer in
>> 2-1.10.
>>>> >
>>>> > The database has undergone serious optimisations in this version
>>>> > and it's possible this is a regression. I can't immediately see why
>>>> > it would be sending tagged packets.
>>>> >
>>>> > Can you provide your snort.conf and barnyard2.conf (sans passwords)
>>>> > and the barnyard2 command invocation you're using.
>>>> >
>>>> >> We are also seeing alerts showup without the msg for the alert
>>>> >> which is in the sid-msg.map? We verified the sid number was in the
>>>> >> sid-msg.map, but barnyard2 didn't send it through??
>>>> >
>>>> > Ok, it seems there are bigger issues are afoot here. I've cc'd Eric
>>>> > who has done the optimisations on this "soon to be legacy" db
>>>> > plugin and should be able to explain
>>>> >
>>>> > Regards,
>>>> > firnsy
>>>> >
>>>>
>>>
>>>
>>
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.log.1350901409
Type: application/octet-stream
Size: 962 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121024/739a499e/attachment.obj>


More information about the Snort-users mailing list