[Snort-users] Events with no packet data

Y M snort at ...15979...
Wed Jul 9 18:22:24 EDT 2014



> To: snort-users at lists.sourceforge.net
> Date: Tue, 8 Jul 2014 11:07:01 -0600
> From: jlay at ...13475...
> Subject: [Snort-users] Events with no packet data
> 
> Interesting...from the u2 file:
> 
> (Event)
>          sensor id: 0    event id: 1888  event second: 1404838420        
> event microsecond: 303235
>          sig id: 2015622 gen id: 1       revision: 1      
> classification: 21
>          priority: 1     ip source: x.x.x.x ip destination: x.x.x.x
>          src port: 80    dest port: 49211        protocol: 6     
> impact_flag: 0  blocked: 0
> 
> (ExtraDataHdr)
>          event type: 4   event length: 38
> 
> (ExtraData)
>          sensor id: 0    event id: 1888  event second: 1404838420
>          type: 9 datatype: 1     bloblength: 14  HTTP URI: /index
> 
> (ExtraDataHdr)
>          event type: 4   event length: 56
> 
> (ExtraData)
>          sensor id: 0    event id: 1888  event second: 1404838420
>          type: 10        datatype: 1     bloblength: 32  HTTP Hostname: 
> www.favfamilyrecipes.com
> 
> And that's it...this should up as src/dst 0.0.0.0 in my sguil console.  
> Is there a way to figure out exactly when the packet information wasn't 
> included?  Thanks.
Was this the end of the event in the u2 file? Usually some events span multiple u2 records (my translation) and you may have to look further if there is additional records. Also, try to convert the u2 file into a pcap using the u2boat tool. This may not resolve the issue but at least will allow you to peak inside the packet itself within Wireshark or so. Perhaps following the stream as well may provide additional information (packets). This worked for me in certain situations.
Looking at the rule itself, it has multiple content matches; it had to trigger on that particular content to generate that event!
YM
> 
> James
> 
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140709/8d2b80c8/attachment.html>


More information about the Snort-users mailing list