[Snort-users] Fwd: Re: barnyard2-1.10 major problem

Lawrence R. Hughes, Sr. lhughes at ...14822...
Thu Oct 25 12:33:38 EDT 2012


Beenph,

snort did not break the following into two (2) different events unified2 
output from snort.log:

(Event)
        sensor id: 0    event id: 1     event second: 1350903278 
event mi
crosecond: 178786
        sig id: 2805523 gen id: 1       revision: 1      classification: 21
        priority: 1     ip source: 172.25.236.179       ip destination: 
207.171.
163.31
        src port: 4926  dest port: 80   protocol: 6     impact_flag: 0 
blocked:
 0

Packet
        sensor id: 0    event id: 1     event second: 1350903278
        packet second: 1350903278       packet microsecond: 178786
        linktype: 1     packet_length: 449
[    0] 00 0E 0C C1 D5 7B 00 0D 66 DC D0 00 08 00 45 00  .....{..f.....E.
[   16] 01 B3 7F 06 40 00 40 06 AE A6 AC 19 EC B3 CF AB  .... at ...843...@.........
[   32] A3 1F 13 3E 00 50 41 49 60 BC AA E5 94 90 50 18  ...>.PAI`.....P.
[   48] 19 20 84 D8 00 00 47 45 54 20 2F 69 6E 73 74 61  . ....GET /insta
[   64] 6C 6C 65 72 2E 67 69 66 3F 61 63 74 69 6F 6E 3D  ller.gif?action=
[   80] 66 69 6E 69 73 68 65 64 26 62 72 6F 77 73 65 72  finished&browser
[   96] 3D 69 65 37 26 76 65 72 3D 31 5F 32 33 5F 31 35  =ie7&ver=1_23_15
[  112] 31 5F 31 35 31 26 62 69 63 3D 44 36 44 44 36 46  1_151&bic=D6DD6F
[  128] 43 43 43 36 33 38 34 43 42 46 41 43 33 32 32 32  CCC6384CBFAC3222
[  144] 34 39 41 33 31 33 36 44 37 31 49 45 26 61 70 70  49A3136D71IE&app
[  160] 3D 34 34 39 33 26 61 70 70 76 65 72 3D 34 30 26  =4493&appver=40&
[  176] 76 65 72 69 66 69 65 72 3D 31 63 36 32 66 61 39  verifier=1c62fa9
[  192] 61 34 61 33 36 33 32 34 63 33 36 35 38 34 64 38  a4a36324c36584d8
[  208] 31 34 35 39 65 33 36 62 32 26 73 72 63 69 64 3D  1459e36b2&srcid=
[  224] 38 38 39 37 34 26 73 75 62 69 64 3D 64 65 66 61  88974&subid=defa
[  240] 75 6C 74 26 7A 64 61 74 61 3D 38 38 39 37 34 26  ult&zdata=88974&
[  256] 73 75 62 69 64 3D 26 70 69 64 3D 31 33 32 32 26  subid=&pid=1322&
[  272] 66 66 3D 30 5F 38 35 26 63 68 3D 31 5F 32 30 5F  ff=0_85&ch=1_20_
[  288] 33 37 26 64 65 66 61 75 6C 74 3D 69 65 26 6F 73  37&default=ie&os
[  304] 3D 58 50 26 61 64 6D 69 6E 3D 31 26 74 79 70 65  =XP&admin=1&type
[  320] 3D 31 32 34 31 37 26 61 73 77 3D 30 20 48 54 54  =12417&asw=0 HTT
[  336] 50 2F 31 2E 30 0D 0A 55 73 65 72 2D 41 67 65 6E  P/1.0..User-Agen
[  352] 74 3A 20 4E 53 49 53 5F 49 6E 65 74 63 20 28 4D  t: NSIS_Inetc (M
[  368] 6F 7A 69 6C 6C 61 29 0D 0A 48 6F 73 74 3A 20 73  ozilla)..Host: s
[  384] 74 61 74 73 2E 63 72 6F 73 73 72 69 64 65 72 2E  tats.crossrider.
[  400] 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A  com..Connection:
[  416] 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 50 72 61   Keep-Alive..Pra
[  432] 67 6D 61 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 0D  gma: no-cache...
[  448] 0A                                               .

Packet
        sensor id: 0    event id: 1     event second: 1350903278
        packet second: 1350903278       packet microsecond: 300156
        linktype: 1     packet_length: 381
[    0] 00 0E 0C C1 D5 7B 00 0D 66 DC D0 00 08 00 45 00  .....{..f.....E.
[   16] 01 6F 7F 08 40 00 40 06 AE E8 AC 19 EC B3 CF AB  .o.. at ...843...@.........
[   32] A3 1F 13 3E 00 50 41 49 62 47 AA E5 96 5E 50 18  ...>.PAIbG...^P.
[   48] 1D 50 BB 8D 00 00 47 45 54 20 2F 61 70 70 73 2E  .P....GET /apps.
[   64] 67 69 66 3F 61 63 74 69 6F 6E 3D 69 6E 73 74 61  gif?action=insta
[   80] 6C 6C 26 62 72 6F 77 73 65 72 3D 69 65 37 26 76  ll&browser=ie7&v
[   96] 65 72 3D 31 5F 32 33 5F 31 35 31 5F 31 35 31 26  er=1_23_151_151&
[  112] 62 69 63 3D 44 36 44 44 36 46 43 43 43 36 33 38  bic=D6DD6FCCC638
[  128] 34 43 42 46 41 43 33 32 32 32 34 39 41 33 31 33  4CBFAC322249A313
[  144] 36 44 37 31 49 45 26 61 70 70 3D 34 34 39 33 26  6D71IE&app=4493&
[  160] 61 70 70 76 65 72 3D 34 30 26 76 65 72 69 66 69  appver=40&verifi
[  176] 65 72 3D 31 63 36 32 66 61 39 61 34 61 33 36 33  er=1c62fa9a4a363
[  192] 32 34 63 33 36 35 38 34 64 38 31 34 35 39 65 33  24c36584d81459e3
[  208] 36 62 32 26 69 6E 73 74 61 6C 6C 74 69 6D 65 3D  6b2&installtime=
[  224] 31 33 35 30 39 31 38 31 34 39 26 63 75 72 74 69  1350918149&curti
[  240] 6D 65 3D 31 33 35 30 39 31 38 31 34 39 26 6C 69  me=1350918149&li
[  256] 66 65 74 69 6D 65 3D 30 20 48 54 54 50 2F 31 2E  fetime=0 HTTP/1.
[  272] 30 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4E  0..User-Agent: N
[  288] 53 49 53 5F 49 6E 65 74 63 20 28 4D 6F 7A 69 6C  SIS_Inetc (Mozil
[  304] 6C 61 29 0D 0A 48 6F 73 74 3A 20 73 74 61 74 73  la)..Host: stats
[  320] 2E 63 72 6F 73 73 72 69 64 65 72 2E 63 6F 6D 0D  .crossrider.com.
[  336] 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65  .Connection: Kee
[  352] 70 2D 41 6C 69 76 65 0D 0A 50 72 61 67 6D 61 3A  p-Alive..Pragma:
[  368] 20 6E 6F 2D 63 61 63 68 65 0D 0A 0D 0A            no-cache....

There is one(1) event header and two (2) packets!

If snort wanted two (2) events it would have put two (2) event headers in 
the unified2 log file..

You have it all wrong beenph!
Just ask the guys at SF the above should be treated as a single event with 2 
packets.

When can you fix this in spooler.c???

Thanks,
Larry





----- Original Message ----- 
From: "beenph" <beenph at ...11827...>
To: "Lawrence R. Hughes, Sr." <lhughes at ...14822...>
Cc: <barnyard2-users at ...14071...>; "snort-users" 
<snort-users at lists.sourceforge.net>
Sent: Thursday, October 25, 2012 12:02 PM
Subject: Re: [Snort-users] Fwd: Re: barnyard2-1.10 major problem


> On Thu, Oct 25, 2012 at 11:57 AM, Lawrence R. Hughes, Sr.
> <lhughes at ...14822...> wrote:
>> Beenph,
>>
>> So what I see and correct me if I am wrong, you take a single event from
>> snort that has 2 packets and create 2 seperate events in the database.
>>
>> So if i had a single event from snort that has 6 packets that are all 
>> listed
>> with the same event_id barnyard would create 6 events in snort.event
>> database correct?
>>
>> If this is the case, please explain why you would break the packets from 
>> a
>> single event into several events.
>>
> Thats exact.
>
> We do not break anything up, it logged to the database as its present
> in the unified2 file
> UNIFIED2_RECORD_HEADER
> EVENT X
> UNIFIED2_RECORD_HEADER
> PACKET1  EVENT X
> UNIFIED2_RECORD_HEADER
> PACKET2  EVENT X
> UNIFIED2_RECORD_HEADER
> PACKETN EVENT X
>
> -elz
> 





More information about the Snort-users mailing list