[Snort-users] converting unified2 to pcap: 'ethertype Unknown'

Marcin Dulak marcin.dulak at ...11827...
Wed Jan 4 10:30:02 EST 2017


Hi,

this seems to be due to u2boat treating the unified2 as ethernet
link-layer, while it seems to be of type IP raw
https://www.mail-archive.com/tcpdump-workers@...17721.../msg01204.html

This is the DLT 12 or 14 in libpcap:
https://github.com/the-tcpdump-group/libpcap/blob/master/pcap/dlt.h#L92
It is possible to convert unified2 (attached) to pcap using
https://github.com/jasonish/py-idstools, going through the eve intermediate
format:

idstools-u2eve --snort-conf /home/snort/conf/snort.conf
/home/snort/logs/merged.log > /home/snort/logs/merged.log.eve
idstools-eve2pcap /home/snort/logs/merged.log.eve -o
/home/snort/logs/merged.log.eve2pcap --dlt RAW

It would be useful to implement the choice of DLT in u2boat.

Best regards,

Marcin




On Thu, Dec 15, 2016 at 3:51 PM, Marcin Dulak <marcin.dulak at ...11827...>
wrote:

> Hi,
>
> I'm looking at converting unified2 logs into pcap, but this seems to
> result in 'ethertype Unknown'.
> What am I missing?
>
> http://manual.snort.org/ says:
>
> Packet logging includes a capture of the entire packet and is specified
> with log_unified2. Likewise, alert logging will only log events and is
> specified with alert_unified2. To include both logging styles in a single,
> unified file, simply specify unified2.
>
> snort # rpm -q snort
> snort-2.9.8.3-1.el7.centos.x86_64
>
> snort # snort --version 2>&1 | grep Version
>   o"  )~   Version 2.9.8.3 GRE (Build 383)
>
> snort # grep "^ output " /home/snort/conf/snort.conf
>  output unified2: filename merged.log, limit 128, nostamp,
> mpls_event_types, vlan_event_types
>  output log_tcpdump: tcpdump.log
>
> snort # grep "^config daq" /home/snort/conf/snort.conf
> config daq: nfq
> config daq_dir: /usr/lib64/daq
> config daq_mode: inline
>
> I run snort inline with nfq on the host to which I send http traffic:
>
> snort # /usr/sbin/snort -d -D -u root -g root -c
> /home/snort/conf/snort.conf -l /home/snort/logs
>
> have just one rule
>
> alert tcp any any -> $HOME_NET any (msg:"alert tcp any any"; sid:10000002;
> rev:001;)
>
> and send http to the sensor from another machine 10.255.2.100:
>
> machine # curl 10.255.2.160
>
> and then convert the resulting unified2 log into pcap.
>
> There is no VLAN traffic and 10.255.2.160 is on an subinterface of enp0s9
> of the machine running snort.
>
> snort # ethtool -k enp0s9 | grep ': on'
> rx-vlan-filter: on [fixed]
>
> snort # u2spewfoo /home/snort/logs/merged.log
>
> (Event)
>     sensor id: 0    event id: 1    event second: 1481812613    event
> microsecond: 105823
>     sig id: 10000002    gen id: 1    revision: 1     classification: 0
>     priority: 0    ip source: 10.255.2.100    ip destination: 10.255.2.160
>     src port: 38600    dest port: 80    protocol: 6    impact_flag: 0
> blocked: 0
>     mpls label: 0    vland id: 0    policy id: 0
>
> Packet
>     sensor id: 0    event id: 1    event second: 1481812613
>     packet second: 1481812613    packet microsecond: 105823
>     linktype: 228    packet_length: 60
> [    0] 45 00 00 3C D8 DC 40 00 40 06 46 DE 0A FF 02 64  E..<.. at ...843...@.F....d
> [   16] 0A FF 02 A0 96 C8 00 50 A4 41 88 47 00 00 00 00  .......P.A.G....
> [   32] A0 02 72 10 96 64 00 00 02 04 05 B4 04 02 08 0A  ..r..d..........
> [   48] 10 4D 50 9B 00 00 00 00 01 03 03 07              .MP.........
>
> snort # tcpdump -nnX -r /home/snort/logs/tcpdump.log.1481810549
> reading from file /home/snort/logs/tcpdump.log.1481810549, link-type RAW
> (Raw IP)
> 15:02:35.912256 IP 10.255.2.100.38594 > 10.255.2.160.80: Flags [S], seq
> 1388536122, win 29200, options [mss 1460,sackOK,TS val 271445254 ecr
> 0,nop,wscale 7], length 0
>                 0x0000:  4500 003c 8c3c 4000 4006 937e 0aff 0264
> E..<.<@. at ...846...~...d
>                 0x0010:  0aff 02a0 96c2 0050 52c3 613a 0000 0000
> .......PR.a:....
>                 0x0020:  a002 7210 72aa 0000 0204 05b4 0402 080a
> ..r.r...........
>                 0x0030:  102d ed06 0000 0000 0103 0307
> .-..........
>
> snort # u2boat /home/snort/logs/merged.log /home/snort/logs/merged.log.
> pcap
>
> snort # tcpdump -nnX -r /home/snort/logs/merged.log.pcap
> reading from file /home/snort/logs/merged.log.pcap, link-type EN10MB
> (Ethernet)
> 15:02:35.912256 40:00:40:06:93:7e > 45:00:00:3c:8c:3c, ethertype Unknown
> (0x0aff), length 60:
>                 0x0000:  0264 0aff 02a0 96c2 0050 52c3 613a 0000
> .d.......PR.a:..
>                 0x0010:  0000 a002 7210 72aa 0000 0204 05b4 0402
> ....r.r.........
>                 0x0020:  080a 102d ed06 0000 0000 0103 0307
> ...-..........
>
> Best regards,
>
> Marcin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170104/3767e79b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: merged.log
Type: text/x-log
Size: 164 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170104/3767e79b/attachment.bin>


More information about the Snort-users mailing list