[Snort-users] unified2 - multiple events and single packet question

Jeff Sundquist jeffsundquist at ...11827...
Wed Mar 26 19:52:51 EDT 2014


Answering own question ( got private email from others ):

Yes, there should be a packet after each event.

I was using 2.9.2.3 for my test.  I updated to 2.9.6.0 and now see the
packets after each event.

I broke rule #1 : always update to latest before posting....

Found the following in the changelog for 2.9.3 which probably fixed it:

      - Correctly log TCP segments to unified2 when there are multiple
alerts on
        the same reassembled packet.

Thanks,
Jeff



On Wed, Mar 26, 2014 at 4:36 PM, Jeff Sundquist <jeffsundquist at ...11827...>wrote:

> I have a single packet that triggers multiple rules and I end up with the
> following unified2 from it:
>
> (Event)
> sensor id: 0 event id: 1 event second: 1395855838 event microsecond:
> 898374
>  sig id: 2011967 gen id: 1 revision: 3  classification: 29
>  priority: 1 ip source: 192.168.34.253 ip destination: 192.168.234.100
> src port: 60968 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0
>
> Packet
> sensor id: 0 event id: 1 event second: 1395855838
>  packet second: 1395855838 packet microsecond: 898374
> linktype: 1 packet_length: 207
> [    0] 00 0C 29 88 8C 67 00 22 19 D4 DC 85 08 00 45 00  ..)..g."......E.
> [   16] 00 C1 1E 70 40 00 40 06 8D 14 C0 A8 22 FD C0 A8  ...p at ...843...@....."...
> [   32] EA 64 EE 28 00 50 29 B8 0F 2E 7E 4D 21 1E 50 18  .d.(.P)...~M!.P.
> [   48] 00 5C 74 F9 00 00 47 45 54 20 2F 63 6D 64 2E 65  .\t...GET /cmd.e
> [   64] 78 65 3F 31 32 26 66 6F 6F 3D 2F 62 6F 74 2E 65  xe?12&foo=/bot.e
> [   80] 78 65 26 62 61 72 3D 31 31 32 20 48 54 54 50 2F  xe&bar=112 HTTP/
> [   96] 31 2E 30 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A  1.0..User-Agent:
> [  112] 20 57 67 65 74 2F 31 2E 31 30 2E 32 20 28 52 65   Wget/1.10.2 (Re
> [  128] 64 20 48 61 74 20 6D 6F 64 69 66 69 65 64 29 0D  d Hat modified).
> [  144] 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 48 6F  .Accept: */*..Ho
> [  160] 73 74 3A 20 31 39 32 2E 31 36 38 2E 32 33 34 2E  st: 192.168.234.
> [  176] 31 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A  100..Connection:
> [  192] 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A      Keep-Alive....
>
> (Event)
> sensor id: 0 event id: 2 event second: 1395855838 event microsecond:
> 898374
>  sig id: 2009361 gen id: 1 revision: 4  classification: 21
>  priority: 2 ip source: 192.168.34.253 ip destination: 192.168.234.100
> src port: 60968 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0
>
> (Event)
> sensor id: 0 event id: 3 event second: 1395855838 event microsecond:
> 898374
>  sig id: 1002 gen id: 1 revision: 10  classification: 30
>  priority: 1 ip source: 192.168.34.253 ip destination: 192.168.234.100
> src port: 60968 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0
>
>
> Question : Is this the correct behavior?  The unified2 doc states the
> following "A Unified2 Packet is provided with each Unified2 Event record".
>
>
> I ask because barnyard2 isn't recording all three signatures since there
> is no packet included.  I want to know whether I need to update barnyard2
> or if there is an issue with snort or if I'm missing something.
>
> One more...  If a single packet for 3 rules is correct, is there a way to
> associate event 2 and 3 with the packet?
>
> Thanks,
> Jeff
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140326/1879ad89/attachment.html>


More information about the Snort-users mailing list