[Snort-users] u2 format differences from 2.9.8.0 to 2.9.8.2

Y M snort at ...15979...
Sat Jun 25 12:18:32 EDT 2016


Looking at the 2.9.8.2 changelog, I don't see any changes to u2 output format. There is one addition to Snort though that handles double VLAN tagging. I am not sure how this would be translated in u2.

You probably know this but In hexdump, the "*" means the same line as above. If you run hexdump with -v, does the "*" still shows?

YM

Sent from Mobile

_____________________________
From: Avery Rozar <avery.rozar at ...17372...<mailto:avery.rozar at ...17372...>>
Sent: Saturday, June 25, 2016 6:32 PM
Subject: [Snort-users] u2 format differences from 2.9.8.0 to 2.9.8.2
To: <snort-users at lists.sourceforge.net<mailto:snort-users at ...5870....net>>


I've run into some issues with Barnyard2 adding data into my database, even with appid disabled. Using hexdump to look at the snort.log file, it seems a bit diffrent in 2.9.8.2 vs 2.9.8.0. I'm curious if there was a change that is causing Barnyard2 to not fully read the u2 file like it used to.

I noticed an asterisk (*) between events now. Maybe its just how hexdump is reading the two diffrent u2 files I'm not sure...

I wrote a python script to parse u2 files back around Snort 2.9.7.6 and it is now missing all of the "events (Serial Unified2 Header # 104)" when parsing anything from 2.9.8.2. I can only assume that's also what Barnyard2 is missing. I'm only getting the "Serial Unified2 Header # 2" packets now.

Example:

Snort 2.9.8.0 hexdump (it's a continuous hexdump)

00000000  00 00 00 68 00 00 00 3c  00 00 00 00 00 00 00 01  |...h...<........|

00000010  56 df 51 72 00 08 8d 7e  00 00 3f ad 00 00 00 01  |V.Qr...~..?.....|

00000020  00 00 00 0e 00 00 00 09  00 00 00 01 42 3d aa 62  |............B=.b|

00000030  c0 a8 ac 20 00 50 11 91  06 20 00 01 00 00 00 00  |... .P... ......|

00000040  00 00 00 00 00 00 00 02  00 00 05 b6 00 00 00 00  |................|

00000050  00 00 00 01 56 df 51 72  56 df 51 72 00 08 8d 7e  |....V.QrV.Qr...~|

00000060  00 00 00 01 00 00 05 9a  f8 b1 56 3e d7 05 70 e4  |..........V>..p.|

00000070  22 85 6c f7 08 00 45 00  05 8c ac ac 40 00 39 06  |".l...E..... at ...843.....17578...|

00000080  36 57 42 3d aa 62 c0 a8  ac 20 00 50 11 91 d4 0c  |6WB=.b... .P....|

00000090  1f 99 c7 f8 1c 4a 50 10  74 70 40 94 00 00 48 54  |.....JP.tp at ...979...17579...|

000000a0  54 50 2f 31 2e 31 20 32  30 30 20 4f 4b 0d 0a 53  |TP/1.1 200 OK..S|

000000b0  65 72 76 65 72 3a 20 6e  67 69 6e 78 2f 31 2e 36  |erver: nginx/1.6|

000000c0  2e 32 0d 0a 43 6f 6e 74  65 6e 74 2d 54 79 70 65  |.2..Content-Type|

000000d0  3a 20 61 70 70 6c 69 63  61 74 69 6f 6e 2f 78 2d  |: application/x-|

000000e0  6a 61 76 61 73 63 72 69  70 74 0d 0a 45 78 70 69  |javascript..Expi|

000000f0  72 65 73 3a 20 57 65 64  2c 20 30 39 20 4d 61 72  |res: Wed, 09 Mar|

00000100  20 32 30 31 36 20 32 33  3a 35 34 3a 34 39 20 47  | 2016 23:54:49 G|

00000110  4d 54 0d 0a 43 61 63 68  65 2d 43 6f 6e 74 72 6f  |MT..Cache-Contro|

00000120  6c 3a 20 6d 61 78 2d 61  67 65 3d 38 36 34 30 30  |l: max-age=86400|

00000130  0d 0a 43 6f 6e 74 65 6e  74 2d 45 6e 63 6f 64 69  |..Content-Encodi|

00000140  6e 67 3a 20 67 7a 69 70  0d 0a 43 6f 6e 74 65 6e  |ng: gzip..Conten|

00000150  74 2d 4c 65 6e 67 74 68  3a 20 33 34 31 30 33 0d  |t-Length: 34103.|

00000160  0a 44 61 74 65 3a 20 57  65 64 2c 20 30 39 20 4d  |.Date: Wed, 09 M|

00000170  61 72 20 32 30 31 36 20  30 30 3a 32 37 3a 33 34  |ar 2016 00:27:34|

00000180  20 47 4d 54 0d 0a 43 6f  6e 6e 65 63 74 69 6f 6e  | GMT..Connection|

00000190  3a 20 6b 65 65 70 2d 61  6c 69 76 65 0d 0a 56 61  |: keep-alive..Va|

000001a0  72 79 3a 20 41 63 63 65  70 74 2d 45 6e 63 6f 64  |ry: Accept-Encod|

000001b0  69 6e 67 0d 0a 0d 0a 1f  8b 08 00 00 00 00 00 00  |ing.............|


Snort 2.9.8.2 (It has the "*" in the file)


00000000  00 00 00 6f 00 00 00 7c  00 00 00 00 00 00 00 01  |...o...|........|

00000010  57 6e 99 a4 00 0d 69 33  00 0f 42 42 00 00 00 01  |Wn....i3..BB....|

00000020  00 00 00 01 00 00 00 1c  00 00 00 01 ac 1f fe 98  |................|

00000030  ac 1f fb 0a ee 0a 00 50  06 20 00 01 00 00 00 00  |.......P. ......|

00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

00000080  00 00 00 00 00 00 00 02  00 00 02 f5 00 00 00 00  |................|

00000090  00 00 00 01 57 6e 99 a4  57 6e 99 a4 00 0d 69 33  |....Wn..Wn....i3|

000000a0  00 00 00 01 00 00 02 d9  00 50 56 bc 8f 72 d0 d0  |.........PV..r..|

000000b0  fd 27 4e 47 08 00 45 00  02 cb 72 15 40 00 3f 06  |.'NG..E...r. at ...843.....843...?.|

000000c0  75 35 ac 1f fe 98 ac 1f  fb 0a ee 0a 00 50 18 1c  |u5...........P..|

000000d0  c0 ec 3e 91 d2 23 80 18  10 15 28 3c 00 00 01 01  |..>..#....(<....|

000000e0  08 0a 39 f5 dd 29 71 48  16 ad 47 45 54 20 2f 77  |..9..)qH..GET /w|

000000f0  70 2d 61 64 6d 69 6e 2f  20 48 54 54 50 2f 31 2e  |p-admin/ HTTP/1.|

00000100  31 0d 0a 48 6f 73 74 3a  20 77 77 77 2e 69 6e 73  |1..Host: www.ins|

00000110  65 63 75 72 65 2d 69 74  2e 63 6f 6d 0d 0a 43 6f  |ecure-it.com<http://ecure-it.com>..Co|

00000120  6e 6e 65 63 74 69 6f 6e  3a 20 6b 65 65 70 2d 61  |nnection: keep-a|

00000130  6c 69 76 65 0d 0a 55 70  67 72 61 64 65 2d 49 6e  |live..Upgrade-In|

00000140  73 65 63 75 72 65 2d 52  65 71 75 65 73 74 73 3a  |secure-Requests:|

00000150  20 31 0d 0a 55 73 65 72  2d 41 67 65 6e 74 3a 20  | 1..User-Agent: |

00000160  4d 6f 7a 69 6c 6c 61 2f  35 2e 30 20 28 4d 61 63  |Mozilla/5.0 (Mac|

00000170  69 6e 74 6f 73 68 3b 20  49 6e 74 65 6c 20 4d 61  |intosh; Intel Ma|

00000180  63 20 4f 53 20 58 20 31  30 5f 31 31 5f 35 29 20  |c OS X 10_11_5) |

00000190  41 70 70 6c 65 57 65 62  4b 69 74 2f 35 33 37 2e  |AppleWebKit/537.|

000001a0  33 36 20 28 4b 48 54 4d  4c 2c 20 6c 69 6b 65 20  |36 (KHTML, like |

000001b0  47 65 63 6b 6f 29 20 43  68 72 6f 6d 65 2f 35 31  |Gecko) Chrome/51|

000001c0  2e 30 2e 32 37 30 34 2e  31 30 33 20 53 61 66 61  |.0.2704.103 Safa|

000001d0  72 69 2f 35 33 37 2e 33  36 0d 0a 41 63 63 65 70  |ri/537.36..Accep|

000001e0  74 3a 20 74 65 78 74 2f  68 74 6d 6c 2c 61 70 70  |t: text/html,app|

000001f0  6c 69 63 61 74 69 6f 6e  2f 78 68 74 6d 6c 2b 78  |lication/xhtml+x|

00000200  6d 6c 2c 61 70 70 6c 69  63 61 74 69 6f 6e 2f 78  |ml,application/x|

00000210  6d 6c 3b 71 3d 30 2e 39  2c 69 6d 61 67 65 2f 77  |ml;q=0.9,image/w|

00000220  65 62 70 2c 2a 2f 2a 3b  71 3d 30 2e 38 0d 0a 41  |ebp,*/*;q=0.8..A|

00000230  63 63 65 70 74 2d 45 6e  63 6f 64 69 6e 67 3a 20  |ccept-Encoding: |

00000240  67 7a 69 70 2c 20 64 65  66 6c 61 74 65 2c 20 73  |gzip, deflate, s|

00000250  64 63 68 0d 0a 41 63 63  65 70 74 2d 4c 61 6e 67  |dch..Accept-Lang|

00000260  75 61 67 65 3a 20 65 6e  2d 55 53 2c 65 6e 3b 71  |uage: en-US,en;q|

00000270  3d 30 2e 38 0d 0a 43 6f  6f 6b 69 65 3a 20 50 48  |=0.8..Cookie: PH|

00000280  50 53 45 53 53 49 44 3d  39 71 6e 67 62 76 74 6d  |PSESSID=9qngbvtm|

00000290  32 71 6f 33 61 30 64 66  63 64 72 72 70 63 32 76  |2qo3a0dfcdrrpc2v|

000002a0  72 34 3b 20 77 6f 72 64  70 72 65 73 73 5f 74 65  |r4; wordpress_te|

000002b0  73 74 5f 63 6f 6f 6b 69  65 3d 57 50 2b 43 6f 6f  |st_cookie=WP+Coo|

000002c0  6b 69 65 2b 63 68 65 63  6b 3b 20 4e 43 53 5f 49  |kie+check; NCS_I|

000002d0  4e 45 4e 54 49 4d 3d 31  34 36 36 38 36 32 39 31  |NENTIM=146686291|

000002e0  31 3b 20 4a 43 53 5f 49  4e 45 4e 54 49 4d 3d 31  |1; JCS_INENTIM=1|

000002f0  34 36 36 38 36 32 37 30  34 37 30 36 3b 20 33 38  |466862704706; 38|

00000300  39 61 65 32 31 30 30 34  30 61 62 37 35 30 63 31  |9ae210040ab750c1|

00000310  35 62 33 65 62 32 33 61  62 36 65 34 37 38 3d 39  |5b3eb23ab6e478=9|

00000320  30 30 37 61 65 61 35 36  66 61 61 34 34 61 66 32  |007aea56faa44af2|

00000330  62 38 61 61 33 37 33 64  66 65 33 31 62 37 66 3b  |b8aa373dfe31b7f;|

00000340  20 53 4a 45 43 54 31 35  3d 43 4b 4f 4e 31 35 3b  | SJECT15=CKON15;|

00000350  20 5f 67 61 3d 47 41 31  2e 32 2e 36 31 34 34 31  | _ga=GA1.2.61441|

00000360  34 36 32 32 2e 31 34 36  30 30 37 33 33 33 34 3b  |4622.1460073334;|

00000370  20 4a 43 53 5f 49 4e 45  4e 52 45 46 3d 0d 0a 0d  | JCS_INENREF=...|

00000380  0a 00 00 00 6f 00 00 00  7c 00 00 00 00 00 00 00  |....o...|.......|

00000390  02 57 6e 99 a4 00 0d 6f  42 00 0f 42 42 00 00 00  |.Wn....oB..BB...|

000003a0  01 00 00 00 01 00 00 00  1c 00 00 00 01 ac 1f fe  |................|

000003b0  98 ac 1f fb 0a ee 0b 00  50 06 20 00 01 00 00 00  |........P. .....|

000003c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

*

Thanks,

Avery


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160625/d9557d56/attachment.html>


More information about the Snort-users mailing list