[Snort-users] u2 format differences from 2.9.8.0 to 2.9.8.2

Avery Rozar avery.rozar at ...17372...
Sat Jun 25 12:22:48 EDT 2016


I did not know that, and no it does not... Thanks for the reply, I guess
it's back to drawing board...

On Sat, Jun 25, 2016 at 12:18 PM, Y M <snort at ...15979...> wrote:

> Looking at the 2.9.8.2 changelog, I don't see any changes to u2 output
> format. There is one addition to Snort though that handles double VLAN
> tagging. I am not sure how this would be translated in u2.
>
> You probably know this but In hexdump, the "*" means the same line as
> above. If you run hexdump with -v, does the "*" still shows?
>
> YM
>
> Sent from Mobile
>
> _____________________________
> From: Avery Rozar <avery.rozar at ...17372...>
> Sent: Saturday, June 25, 2016 6:32 PM
> Subject: [Snort-users] u2 format differences from 2.9.8.0 to 2.9.8.2
> To: <snort-users at lists.sourceforge.net>
>
>
>
> I've run into some issues with Barnyard2 adding data into my database,
> even with appid disabled. Using hexdump to look at the snort.log file, it
> seems a bit diffrent in 2.9.8.2 vs 2.9.8.0. I'm curious if there was a
> change that is causing Barnyard2 to not fully read the u2 file like it used
> to.
>
> I noticed an asterisk (*) between events now. Maybe its just how hexdump
> is reading the two diffrent u2 files I'm not sure...
>
> I wrote a python script to parse u2 files back around Snort 2.9.7.6 and it
> is now missing all of the "events (Serial Unified2 Header # 104)" when
> parsing anything from 2.9.8.2. I can only assume that's also what Barnyard2
> is missing. I'm only getting the "Serial Unified2 Header # 2" packets now.
>
> Example:
>
> *Snort 2.9.8.0 hexdump (it's a continuous hexdump)*
>
> 00000000  00 00 00 68 00 00 00 3c  00 00 00 00 00 00 00 01
> |...h...<........|
>
> 00000010  56 df 51 72 00 08 8d 7e  00 00 3f ad 00 00 00 01
> |V.Qr...~..?.....|
>
> 00000020  00 00 00 0e 00 00 00 09  00 00 00 01 42 3d aa 62
> |............B=.b|
>
> 00000030  c0 a8 ac 20 00 50 11 91  06 20 00 01 00 00 00 00  |... .P...
> ......|
>
> 00000040  00 00 00 00 00 00 00 02  00 00 05 b6 00 00 00 00
> |................|
>
> 00000050  00 00 00 01 56 df 51 72  56 df 51 72 00 08 8d 7e
> |....V.QrV.Qr...~|
>
> 00000060  00 00 00 01 00 00 05 9a  f8 b1 56 3e d7 05 70 e4
> |..........V>..p.|
>
> 00000070  22 85 6c f7 08 00 45 00  05 8c ac ac 40 00 39 06  |".l...E.....@
> .9.|
>
> 00000080  36 57 42 3d aa 62 c0 a8  ac 20 00 50 11 91 d4 0c  |6WB=.b...
> .P....|
>
> 00000090  1f 99 c7 f8 1c 4a 50 10  74 70 40 94 00 00 48 54  |.....JP.tp@
> ...HT|
>
> 000000a0  54 50 2f 31 2e 31 20 32  30 30 20 4f 4b 0d 0a 53  |TP/1.1 200
> OK..S|
>
> 000000b0  65 72 76 65 72 3a 20 6e  67 69 6e 78 2f 31 2e 36  |erver:
> nginx/1.6|
>
> 000000c0  2e 32 0d 0a 43 6f 6e 74  65 6e 74 2d 54 79 70 65
> |.2..Content-Type|
>
> 000000d0  3a 20 61 70 70 6c 69 63  61 74 69 6f 6e 2f 78 2d  |:
> application/x-|
>
> 000000e0  6a 61 76 61 73 63 72 69  70 74 0d 0a 45 78 70 69
> |javascript..Expi|
>
> 000000f0  72 65 73 3a 20 57 65 64  2c 20 30 39 20 4d 61 72  |res: Wed, 09
> Mar|
>
> 00000100  20 32 30 31 36 20 32 33  3a 35 34 3a 34 39 20 47  | 2016
> 23:54:49 G|
>
> 00000110  4d 54 0d 0a 43 61 63 68  65 2d 43 6f 6e 74 72 6f
> |MT..Cache-Contro|
>
> 00000120  6c 3a 20 6d 61 78 2d 61  67 65 3d 38 36 34 30 30  |l:
> max-age=86400|
>
> 00000130  0d 0a 43 6f 6e 74 65 6e  74 2d 45 6e 63 6f 64 69
> |..Content-Encodi|
>
> 00000140  6e 67 3a 20 67 7a 69 70  0d 0a 43 6f 6e 74 65 6e  |ng:
> gzip..Conten|
>
> 00000150  74 2d 4c 65 6e 67 74 68  3a 20 33 34 31 30 33 0d  |t-Length:
> 34103.|
>
> 00000160  0a 44 61 74 65 3a 20 57  65 64 2c 20 30 39 20 4d  |.Date: Wed,
> 09 M|
>
> 00000170  61 72 20 32 30 31 36 20  30 30 3a 32 37 3a 33 34  |ar 2016
> 00:27:34|
>
> 00000180  20 47 4d 54 0d 0a 43 6f  6e 6e 65 63 74 69 6f 6e  |
> GMT..Connection|
>
> 00000190  3a 20 6b 65 65 70 2d 61  6c 69 76 65 0d 0a 56 61  |:
> keep-alive..Va|
>
> 000001a0  72 79 3a 20 41 63 63 65  70 74 2d 45 6e 63 6f 64  |ry:
> Accept-Encod|
> 000001b0  69 6e 67 0d 0a 0d 0a 1f  8b 08 00 00 00 00 00 00
> |ing.............|
>
>
> *Snort 2.9.8.2 (It has the "*" in the file)*
>
> 00000000  00 00 00 6f 00 00 00 7c  00 00 00 00 00 00 00 01
> |...o...|........|
>
> 00000010  57 6e 99 a4 00 0d 69 33  00 0f 42 42 00 00 00 01
> |Wn....i3..BB....|
>
> 00000020  00 00 00 01 00 00 00 1c  00 00 00 01 ac 1f fe 98
> |................|
>
> 00000030  ac 1f fb 0a ee 0a 00 50  06 20 00 01 00 00 00 00  |.......P.
> ......|
>
> 00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> |................|
>
> *
>
> 00000080  00 00 00 00 00 00 00 02  00 00 02 f5 00 00 00 00
> |................|
>
> 00000090  00 00 00 01 57 6e 99 a4  57 6e 99 a4 00 0d 69 33
> |....Wn..Wn....i3|
>
> 000000a0  00 00 00 01 00 00 02 d9  00 50 56 bc 8f 72 d0 d0
> |.........PV..r..|
>
> 000000b0  fd 27 4e 47 08 00 45 00  02 cb 72 15 40 00 3f 06  |.'NG..E...r.@
> .?.|
>
> 000000c0  75 35 ac 1f fe 98 ac 1f  fb 0a ee 0a 00 50 18 1c
> |u5...........P..|
>
> 000000d0  c0 ec 3e 91 d2 23 80 18  10 15 28 3c 00 00 01 01
> |..>..#....(<....|
>
> 000000e0  08 0a 39 f5 dd 29 71 48  16 ad 47 45 54 20 2f 77  |..9..)qH..GET
> /w|
>
> 000000f0  70 2d 61 64 6d 69 6e 2f  20 48 54 54 50 2f 31 2e  |p-admin/
> HTTP/1.|
>
> 00000100  31 0d 0a 48 6f 73 74 3a  20 77 77 77 2e 69 6e 73  |1..Host:
> www.ins|
>
> 00000110  65 63 75 72 65 2d 69 74  2e 63 6f 6d 0d 0a 43 6f  |ecure-it.com
> ..Co|
>
> 00000120  6e 6e 65 63 74 69 6f 6e  3a 20 6b 65 65 70 2d 61  |nnection:
> keep-a|
>
> 00000130  6c 69 76 65 0d 0a 55 70  67 72 61 64 65 2d 49 6e
> |live..Upgrade-In|
>
> 00000140  73 65 63 75 72 65 2d 52  65 71 75 65 73 74 73 3a
> |secure-Requests:|
>
> 00000150  20 31 0d 0a 55 73 65 72  2d 41 67 65 6e 74 3a 20  |
> 1..User-Agent: |
>
> 00000160  4d 6f 7a 69 6c 6c 61 2f  35 2e 30 20 28 4d 61 63  |Mozilla/5.0
> (Mac|
>
> 00000170  69 6e 74 6f 73 68 3b 20  49 6e 74 65 6c 20 4d 61  |intosh; Intel
> Ma|
>
> 00000180  63 20 4f 53 20 58 20 31  30 5f 31 31 5f 35 29 20  |c OS X
> 10_11_5) |
>
> 00000190  41 70 70 6c 65 57 65 62  4b 69 74 2f 35 33 37 2e
> |AppleWebKit/537.|
>
> 000001a0  33 36 20 28 4b 48 54 4d  4c 2c 20 6c 69 6b 65 20  |36 (KHTML,
> like |
>
> 000001b0  47 65 63 6b 6f 29 20 43  68 72 6f 6d 65 2f 35 31  |Gecko)
> Chrome/51|
>
> 000001c0  2e 30 2e 32 37 30 34 2e  31 30 33 20 53 61 66 61  |.0.2704.103
> Safa|
>
> 000001d0  72 69 2f 35 33 37 2e 33  36 0d 0a 41 63 63 65 70
> |ri/537.36..Accep|
>
> 000001e0  74 3a 20 74 65 78 74 2f  68 74 6d 6c 2c 61 70 70  |t:
> text/html,app|
>
> 000001f0  6c 69 63 61 74 69 6f 6e  2f 78 68 74 6d 6c 2b 78
> |lication/xhtml+x|
>
> 00000200  6d 6c 2c 61 70 70 6c 69  63 61 74 69 6f 6e 2f 78
> |ml,application/x|
>
> 00000210  6d 6c 3b 71 3d 30 2e 39  2c 69 6d 61 67 65 2f 77
> |ml;q=0.9,image/w|
>
> 00000220  65 62 70 2c 2a 2f 2a 3b  71 3d 30 2e 38 0d 0a 41
> |ebp,*/*;q=0.8..A|
>
> 00000230  63 63 65 70 74 2d 45 6e  63 6f 64 69 6e 67 3a 20
> |ccept-Encoding: |
>
> 00000240  67 7a 69 70 2c 20 64 65  66 6c 61 74 65 2c 20 73  |gzip,
> deflate, s|
>
> 00000250  64 63 68 0d 0a 41 63 63  65 70 74 2d 4c 61 6e 67
> |dch..Accept-Lang|
>
> 00000260  75 61 67 65 3a 20 65 6e  2d 55 53 2c 65 6e 3b 71  |uage:
> en-US,en;q|
>
> 00000270  3d 30 2e 38 0d 0a 43 6f  6f 6b 69 65 3a 20 50 48  |=0.8..Cookie:
> PH|
>
> 00000280  50 53 45 53 53 49 44 3d  39 71 6e 67 62 76 74 6d
> |PSESSID=9qngbvtm|
>
> 00000290  32 71 6f 33 61 30 64 66  63 64 72 72 70 63 32 76
> |2qo3a0dfcdrrpc2v|
>
> 000002a0  72 34 3b 20 77 6f 72 64  70 72 65 73 73 5f 74 65  |r4;
> wordpress_te|
>
> 000002b0  73 74 5f 63 6f 6f 6b 69  65 3d 57 50 2b 43 6f 6f
> |st_cookie=WP+Coo|
>
> 000002c0  6b 69 65 2b 63 68 65 63  6b 3b 20 4e 43 53 5f 49  |kie+check;
> NCS_I|
>
> 000002d0  4e 45 4e 54 49 4d 3d 31  34 36 36 38 36 32 39 31
> |NENTIM=146686291|
>
> 000002e0  31 3b 20 4a 43 53 5f 49  4e 45 4e 54 49 4d 3d 31  |1;
> JCS_INENTIM=1|
>
> 000002f0  34 36 36 38 36 32 37 30  34 37 30 36 3b 20 33 38  |466862704706;
> 38|
>
> 00000300  39 61 65 32 31 30 30 34  30 61 62 37 35 30 63 31
> |9ae210040ab750c1|
>
> 00000310  35 62 33 65 62 32 33 61  62 36 65 34 37 38 3d 39
> |5b3eb23ab6e478=9|
>
> 00000320  30 30 37 61 65 61 35 36  66 61 61 34 34 61 66 32
> |007aea56faa44af2|
>
> 00000330  62 38 61 61 33 37 33 64  66 65 33 31 62 37 66 3b
> |b8aa373dfe31b7f;|
>
> 00000340  20 53 4a 45 43 54 31 35  3d 43 4b 4f 4e 31 35 3b  |
> SJECT15=CKON15;|
>
> 00000350  20 5f 67 61 3d 47 41 31  2e 32 2e 36 31 34 34 31  |
> _ga=GA1.2.61441|
>
> 00000360  34 36 32 32 2e 31 34 36  30 30 37 33 33 33 34 3b
> |4622.1460073334;|
>
> 00000370  20 4a 43 53 5f 49 4e 45  4e 52 45 46 3d 0d 0a 0d  |
> JCS_INENREF=...|
>
> 00000380  0a 00 00 00 6f 00 00 00  7c 00 00 00 00 00 00 00
> |....o...|.......|
>
> 00000390  02 57 6e 99 a4 00 0d 6f  42 00 0f 42 42 00 00 00
> |.Wn....oB..BB...|
>
> 000003a0  01 00 00 00 01 00 00 00  1c 00 00 00 01 ac 1f fe
> |................|
>
> 000003b0  98 ac 1f fb 0a ee 0b 00  50 06 20 00 01 00 00 00  |........P.
> .....|
>
> 000003c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> |................|
>
> *
>
> Thanks,
>
> Avery
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160625/712b7c55/attachment.html>


More information about the Snort-users mailing list