[Snort-users] Snort Alert is Not Producing Any Timestamp

Jan Hugo Prins jhp at jhprins.org
Thu Jan 17 10:50:03 EST 2019


I have found the cause in my situation.
When you use pf_ring_zc with zbalance_ipc you have to use the -S flag to
make sure that the timing information is in the packets.

Jan Hugo Prins


On 1/17/19 12:33 PM, Jan Hugo Prins wrote:
> Hello,
>
> Did anyone find the cause of this issue? I might have the same issue.
>
> Startup command:
>
> snort --pid-path /var/run --create-pidfile -D -c /etc/snort/snort.conf
> -l /var/log/snort/instance-1 --daq-dir=/usr/local/lib/daq --daq
> pfring_zc --daq-mode passive -i zc:0 at 2 --daq-var clusterid=0 --daq-var
> bindcpu=2
>
> Version:
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.12 GRE (Build 325)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/contact#team
>            Copyright (C) 2014-2018 Cisco and/or its affiliates. All
> rights reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.8.1
>            Using PCRE version: 8.32 2012-11-30
>            Using ZLIB version: 1.2.7
>
> I use pf_ring zc behind a fiber tap.
>
> Bro is running on a second copy of the same packets, and is properly
> adding timestamps to all registered connections / packets.
>
>
> Jan Hugo Prins
>
>
>
> On 7/3/17 4:58 PM, Dimz via Snort-users wrote:
>> Hi,
>>
>> I create an autostart script:
>> /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -Q
>> -D -m 120
>>
>> This is the snort version:
>> dimz at ubuntu:/var/log/snort$ snort -V
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.9.0 GRE (Build 56)
>>    ''''    By Martin Roesch & The Snort Team:
>> http://www.snort.org/contact#team
>>            Copyright (C) 2014-2016 Cisco and/or its affiliates. All
>> rights reserved.
>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>            Using libpcap version 1.7.4
>>            Using PCRE version: 8.40 2017-01-11
>>            Using ZLIB version: 1.2.8
>>
>> Thanks,
>>
>> -Dimz-
>>
>>
>>
>> On Monday, July 3, 2017, 9:52:52 PM GMT+7, Al Lewis (allewi)
>> <allewi at cisco.com> wrote:
>>
>>
>> Hello,
>>
>> What command are you using to start snort?
>>
>> What version of snort are you using?
>>
>> *Albert Lewis*
>>
>> ENGINEER.SOFTWARE ENGINEERING
>>
>> SOURCE*fire*, Inc. now part of *Cisco*
>>
>> Email: allewi at cisco.com <mailto:allewi at cisco.com>>
>>
>> From: Snort-users <snort-users-bounces at lists.snort.org
>> <mailto:snort-users-bounces at lists.snort.org>> on behalf of Dimz via
>> Snort-users <snort-users at lists.snort.org
>> <mailto:snort-users at lists.snort.org>>
>> Reply-To: Dimz <dimas_forever at yahoo.com <mailto:dimas_forever at yahoo.com>>
>> Date: Monday, July 3, 2017 at 6:57 AM
>> To: "snort-users at lists.snort.org
>> <mailto:snort-users at lists.snort.org>" <snort-users at lists.snort.org
>> <mailto:snort-users at lists.snort.org>>
>> Subject: [Snort-users] Snort Alert is Not Producing Any Timestamp
>>
>> Hi Everybody,
>>
>> I installed my snort 2.9 on Ubuntu server 16.04 on my VM. I installed
>> my snort inline using NFQ from the following guide:
>> http://sublimerobots.com/2017/06/snort-ips-with-nfq-routing-on-ubuntu/
>>
>> The installation and the routing is successful, the ubuntu can
>> forward packets and the snort can detect traffics. The only problem
>> is, the alerts generated has no timestamp.
>>
>> Attached is the snort --daq-list
>> dimz at ubuntu:/var/log/snort$ snort --daq-list
>> Available DAQ modules:
>> pcap(v3): readback live multi unpriv
>> nfq(v7): live inline multi
>> ipfw(v3): live inline multi unpriv
>> dump(v3): readback live inline multi unpriv
>> afpacket(v5): live inline multi unpriv 
>>
>> The snort.conf:
>> config daq: nfq
>> config daq_dir: /usr/local/lib/daq
>> config daq_mode: inline
>> config daq_var: queue=4 
>>
>> The iptables:
>> dimz at ubuntu:/var/log/snort$ sudo iptables -vL
>> Chain INPUT (policy ACCEPT 2149 packets, 164K bytes)
>> pkts bytes target     prot opt in     out     source              
>> destination
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target     prot opt in     out     source              
>> destination
>>    16  1514 NFQUEUE    all  --  any    any     anywhere            
>> anywhere             NFQUEUE num 4 bypass
>>
>> Chain OUTPUT (policy ACCEPT 2046 packets, 173K bytes)
>> pkts bytes target     prot opt in     out     source              
>> destination 
>>
>> The NAT iptables (for port forwarding a web server behind Snort machine):
>> dimz at ubuntu:/var/log/snort$ sudo iptables -vL -t nat
>> Chain PREROUTING (policy ACCEPT 61 packets, 5536 bytes)
>> pkts bytes target     prot opt in     out     source              
>> destination
>>     0     0 DNAT       tcp  --  any    any     anywhere            
>> anywhere             tcp dpt:http-alt to:192.168.2.103:8080
>>
>> Chain INPUT (policy ACCEPT 10 packets, 1888 bytes)
>> pkts bytes target     prot opt in     out     source              
>> destination
>>
>> Chain OUTPUT (policy ACCEPT 484 packets, 30252 bytes)
>> pkts bytes target     prot opt in     out     source              
>> destination
>>
>> Chain POSTROUTING (policy ACCEPT 485 packets, 30336 bytes)
>> pkts bytes target     prot opt in     out     source              
>> destination
>>     2   202 MASQUERADE  all  --  any    ens33   anywhere            
>> anywhere 
>>
>> The server epoch time:
>> dimz at ubuntu:/var/log/snort$ date +'%s'
>> 1499079069
>>
>> result from tcpdump (the timestamp is correct):
>> dimz at ubuntu:/var/log/snort$ sudo tcpdump -i ens33 dst host 192.168.2.103
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode
>> listening on ens33, link-type EN10MB (Ethernet), capture size 262144
>> bytes
>> 17:51:58.297893 IP 192.168.174.129 > 192.168.2.103: ICMP echo
>> request, id 2379, seq 1, length 64
>> 17:51:59.300042 IP 192.168.174.129 > 192.168.2.103: ICMP echo
>> request, id 2379, seq 2, length 64
>> 17:52:00.304461 IP 192.168.174.129 > 192.168.2.103: ICMP echo
>> request, id 2379, seq 3, length 64
>> 17:52:01.305757 IP 192.168.174.129 > 192.168.2.103: ICMP echo
>> request, id 2379, seq 4, length 64 
>>
>> I output my snort alert into 2 outputs: alert.full and snort.u2. Here
>> is the output from alert.full (I create a simple Ping Detection Rule):
>> dimz at ubuntu:/var/log/snort$ tail -f alert.full
>> *01/01-07:00:00.000000 *192.168.174.129 -> 192.168.2.103
>> ICMP TTL:63 TOS:0x0 ID:17418 IpLen:20 DgmLen:84 DF
>> Type:8  Code:0  ID:2379   Seq:3  ECHO
>>
>> [**] [1:10000001:1] ICMP Test Detected [**]
>> [Classification: Generic ICMP event] [Priority: 3]
>> *01/01-07:00:00.000000* 192.168.174.129 -> 192.168.2.103
>> ICMP TTL:63 TOS:0x0 ID:17470 IpLen:20 DgmLen:84 DF
>> Type:8  Code:0  ID:2379   Seq:4  ECHO 
>>
>> Here is the output from snort.u2:
>> (Event)
>>         sensor id: 0    event id: 7     event second: 0 event
>> microsecond: 0
>>         sig id: 10000001        gen id: 1       revision:
>> 1      classification: 31
>>         priority: 3     ip source: 192.168.174.129      ip
>> destination: 192.168.2.103
>>         src port: 8     dest port: 0    protocol: 1     impact_flag:
>> 0  blocked: 0
>>
>> Packet
>>         sensor id: 0    event id: 7     event second: 0
>>         packet second: 0        packet microsecond: 0
>>         linktype: 228   packet_length: 84
>> [    0] 45 00 00 54 44 3E 40 00 3F 01 C5 31 C0 A8 AE
>> 81  E..TD>@.?..1....
>> [   16] C0 A8 02 67 08 00 2E 91 09 4B 00 04 6E 21 5A
>> 59  ...g.....K..n!ZY
>> [   32] 00 00 00 00 33 D2 05 00 00 00 00 00 10 11 12
>> 13  ....3...........
>> [   48] 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23  ............
>> !"#
>> [   64] 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32
>> 33  $%&'()*+,-./0123
>> [   80] 34 35 36 37                                      4567 
>>
>>
>> Why timestamp is not detected???
>>
>> Need Help please.
>> I have been dealing with this issue for days, and I have been trying
>> to do intensive google search to find similar issue but still no luck.
>>
>> Thank you very much.
>>
>> -Dimz-
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> 	To unsubscribe, send an email to:
> 	snort-users-leave at lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190117/6bea4dca/attachment.html>


More information about the Snort-users mailing list