[Snort-users] converting unified2 to pcap: 'ethertype Unknown'

Marcin Dulak marcin.dulak at ...11827...
Thu Dec 15 09:51:29 EST 2016


Hi,

I'm looking at converting unified2 logs into pcap, but this seems to result
in 'ethertype Unknown'.
What am I missing?

http://manual.snort.org/ says:

Packet logging includes a capture of the entire packet and is specified
with log_unified2. Likewise, alert logging will only log events and is
specified with alert_unified2. To include both logging styles in a single,
unified file, simply specify unified2.

snort # rpm -q snort
snort-2.9.8.3-1.el7.centos.x86_64

snort # snort --version 2>&1 | grep Version
  o"  )~   Version 2.9.8.3 GRE (Build 383)

snort # grep "^ output " /home/snort/conf/snort.conf
 output unified2: filename merged.log, limit 128, nostamp,
mpls_event_types, vlan_event_types
 output log_tcpdump: tcpdump.log

snort # grep "^config daq" /home/snort/conf/snort.conf
config daq: nfq
config daq_dir: /usr/lib64/daq
config daq_mode: inline

I run snort inline with nfq on the host to which I send http traffic:

snort # /usr/sbin/snort -d -D -u root -g root -c
/home/snort/conf/snort.conf -l /home/snort/logs

have just one rule

alert tcp any any -> $HOME_NET any (msg:"alert tcp any any"; sid:10000002;
rev:001;)

and send http to the sensor from another machine 10.255.2.100:

machine # curl 10.255.2.160

and then convert the resulting unified2 log into pcap.

There is no VLAN traffic and 10.255.2.160 is on an subinterface of enp0s9
of the machine running snort.

snort # ethtool -k enp0s9 | grep ': on'
rx-vlan-filter: on [fixed]

snort # u2spewfoo /home/snort/logs/merged.log

(Event)
    sensor id: 0    event id: 1    event second: 1481812613    event
microsecond: 105823
    sig id: 10000002    gen id: 1    revision: 1     classification: 0
    priority: 0    ip source: 10.255.2.100    ip destination: 10.255.2.160
    src port: 38600    dest port: 80    protocol: 6    impact_flag: 0
blocked: 0
    mpls label: 0    vland id: 0    policy id: 0

Packet
    sensor id: 0    event id: 1    event second: 1481812613
    packet second: 1481812613    packet microsecond: 105823
    linktype: 228    packet_length: 60
[    0] 45 00 00 3C D8 DC 40 00 40 06 46 DE 0A FF 02 64  E..<.. at ...843...@.F....d
[   16] 0A FF 02 A0 96 C8 00 50 A4 41 88 47 00 00 00 00  .......P.A.G....
[   32] A0 02 72 10 96 64 00 00 02 04 05 B4 04 02 08 0A  ..r..d..........
[   48] 10 4D 50 9B 00 00 00 00 01 03 03 07              .MP.........

snort # tcpdump -nnX -r /home/snort/logs/tcpdump.log.1481810549
reading from file /home/snort/logs/tcpdump.log.1481810549, link-type RAW
(Raw IP)
15:02:35.912256 IP 10.255.2.100.38594 > 10.255.2.160.80: Flags [S], seq
1388536122, win 29200, options [mss 1460,sackOK,TS val 271445254 ecr
0,nop,wscale 7], length 0
                0x0000:  4500 003c 8c3c 4000 4006 937e 0aff 0264
E..<.<@. at ...846...~...d
                0x0010:  0aff 02a0 96c2 0050 52c3 613a 0000 0000
.......PR.a:....
                0x0020:  a002 7210 72aa 0000 0204 05b4 0402 080a
..r.r...........
                0x0030:  102d ed06 0000 0000 0103 0307
.-..........

snort # u2boat /home/snort/logs/merged.log /home/snort/logs/merged.log.pcap

snort # tcpdump -nnX -r /home/snort/logs/merged.log.pcap
reading from file /home/snort/logs/merged.log.pcap, link-type EN10MB
(Ethernet)
15:02:35.912256 40:00:40:06:93:7e > 45:00:00:3c:8c:3c, ethertype Unknown
(0x0aff), length 60:
                0x0000:  0264 0aff 02a0 96c2 0050 52c3 613a 0000
.d.......PR.a:..
                0x0010:  0000 a002 7210 72aa 0000 0204 05b4 0402
....r.r.........
                0x0020:  080a 102d ed06 0000 0000 0103 0307
...-..........

Best regards,

Marcin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161215/dd85450b/attachment.html>


More information about the Snort-users mailing list