[Snort-users] Events with no packet data

James Lay jlay at ...13475...
Wed Jul 9 18:24:41 EDT 2014


On 2014-07-09 16:22, Y M wrote:
>> To: snort-users at lists.sourceforge.net
>> Date: Tue, 8 Jul 2014 11:07:01 -0600
>> From: jlay at ...13475...
>> Subject: [Snort-users] Events with no packet data
>>
>> Interesting...from the u2 file:
>>
>> (Event)
>> sensor id: 0 event id: 1888 event second: 1404838420
>> event microsecond: 303235
>> sig id: 2015622 gen id: 1 revision: 1
>> classification: 21
>> priority: 1 ip source: x.x.x.x ip destination: x.x.x.x
>> src port: 80 dest port: 49211 protocol: 6
>> impact_flag: 0 blocked: 0
>>
>> (ExtraDataHdr)
>> event type: 4 event length: 38
>>
>> (ExtraData)
>> sensor id: 0 event id: 1888 event second: 1404838420
>> type: 9 datatype: 1 bloblength: 14 HTTP URI: /index
>>
>> (ExtraDataHdr)
>> event type: 4 event length: 56
>>
>> (ExtraData)
>> sensor id: 0 event id: 1888 event second: 1404838420
>> type: 10 datatype: 1 bloblength: 32 HTTP Hostname:
>> www.favfamilyrecipes.com
>>
>> And that's it...this should up as src/dst 0.0.0.0 in my sguil
> console.
>> Is there a way to figure out exactly when the packet information
> wasn't
>> included? Thanks.
>
> Was this the end of the event in the u2 file? Usually some events 
> span
> multiple u2 records (my translation) and you may have to look further
> if there is additional records. Also, try to convert the u2 file into
> a pcap using the u2boat tool. This may not resolve the issue but at
> least will allow you to peak inside the packet itself within 
> Wireshark
> or so. Perhaps following the stream as well may provide additional
> information (packets). This worked for me in certain situations.
>
> Looking at the rule itself, it has multiple content matches; it had 
> to
> trigger on that particular content to generate that event!
>
> YM

Thanks YM....it wasn't at the end...but I'll do some digging with 
u2boat and whatnot to see what I can see...thanks for the look see.

James




More information about the Snort-users mailing list