<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>I forgot to mention one important thing:</p>
<p>During that test I uncommented most of the rules available (except deleted.rules and others I can't remember), so it was a pretty rough stress test to Snort. I don't how how it would've performed with 1000-2000 rules only.<br>
</p>
<br>
<div class="moz-cite-prefix">On 11/01/2017 10:14, João Soares wrote:<br>
</div>
<blockquote cite="mid:VI1PR02MB1231684005E28B8F71C13EBDDD660@...17703..." type="cite">
<p>Hi,</p>
<p>Surprisingly it's libpcap. I will most likely play with pf_ring later this year.</p>
<p>My way of load balancing for now is probably not the best, I'm splitting the traffic using linux bonding and bridging into 12 dummy interfaces, and then Snort is listening on all those 12 interfaces. This way I'm essentially forcing Snort to use 12 threads.</p>
<p>As for supporting 10Gbps, well I tested this while doing my master's thesis, but I only had 1 thread running at that time. **With only 1 thread**, and assuming your traffic is actually a constant 9-10Gbps (I simulated this will tcpreplay), Snort will place
 most of your packets in a queue, so I believe it's not ideal for more than ~2Gbps. Nevertheless, I haven't tested it thoroughly with 12 threads, but I'm feeling it will do great, even better if I start using pf_ring I suppose. I still have much to learn.</p>
<br>
<div class="moz-cite-prefix">On 11/01/2017 03:05, Maxim wrote:<br>
</div>
<blockquote cite="mid:31694b28.3082.1598b7d3c17.Coremail.hittlle@...7427..." type="cite">
<div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial">Hi Joao,<br>
Sorry that I cannot spell your name correctly using that letter with a hat on it^_^. I think they are related. If nobody answer it, we have to dive into the source code to figure out why. By the way, you said in your question that you started 12 threads to
 process captured packets. May I know what type of DAQ did you use? pf_ring or DPDK? What's the performance? Can it reach 10 gigabytes? Many thanks.<br>
<br>
<br>
<br>
<br>
At 2017-01-09 23:24:19, "João Soares" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:joaosoares11@...125...">
<joaosoares11@...125...></a> wrote:<br>
<blockquote id="isReplyContent" style="PADDING-LEFT: 1ex;
            MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<p>Hi, I'm sorry to interrupt this conversation but I believe I had a similar issue, but unfortunately nobody answered. Maybe we can solve both of our problems :)<br>
</p>
<p><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://sourceforge.net/p/snort/mailman/message/35565599/">https://sourceforge.net/p/snort/mailman/message/35565599/</a></p>
<p>Are these issues related? I'm logging .pcaps and alerts separately, not using the unified format.<br>
</p>
<div class="moz-cite-prefix">On 09/01/2017 14:03, Russ wrote:<br>
</div>
<blockquote cite="mid:9315b3bc-4529-6780-1a69-ff6fbba66055@...589..." type="cite">
<br>
<br>
<div class="moz-cite-prefix">On 1/9/17 2:53 AM, Maxim wrote:<br>
</div>
<blockquote cite="mid:36436262.8dd7.15982382c48.Coremail.hittlle@...7427..." type="cite">
<div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial">
<div>Hi Albert, </div>
<div>In seciont 1.3.2 of snort3.0 manual,  there is a saying:</div>
<div>   "-A u2 is the same as -A unified2 and will log events and triggering packets in a binary file that you can feed to other tools for post processing. Note that Snort 3 does not provide the raw packets for alerts on PDUs; you will get the actual buffer that
 alerted. "</div>
<div> </div>
<div>I think it does something to do with this. Am I right?</div>
</div>
</blockquote>
Correct.  We can try to provide more information.  Please describe the info you need and how you use it.  In general, raw packets aren't terribly helpful, but we could log other buffers as well.<br>
<blockquote cite="mid:36436262.8dd7.15982382c48.Coremail.hittlle@...7427..." type="cite">
<div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial">
<div><br>
</div>
Hittlle<br>
<br>
<br>
<br>
<br>
At 2017-01-09 11:46:42, "Maxim" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:hittlle@...7427...">
<hittlle@...7427...></a> wrote:<br>
<blockquote id="isReplyContent" style="PADDING-LEFT:
                    1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc
                    1px solid">
<div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial">
<div>Hi Albert,</div>
<div>It is the HTTP request packet that fires the alert, so this packet should be recorded, right? And all packets in the same session after this offensive request packet should be logged, right? Many thanks.</div>
<br>
<br>
<br>
<br>
<br>
At 2017-01-07 06:37:19, "Al Lewis (allewi)" <<a moz-do-not-send="true" href="mailto:allewi@...589...">allewi@...589...</a>> wrote:<br>
<blockquote id="isReplyContent" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px
                        0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>
<div>You can capture the session traffic with just the tagging.</div>
<div><br>
</div>
<div>I don’t think your problem is with the session/tagging functionality. You need to create a rule that alerts THEN starts recording. </div>
<div><br>
</div>
<div>Snort will not be able to go back and capture packets BEFORE the rule alerted. So if you have a rule that alerts on a response packet Snort will not be able to go back and “recapture” the request or packets that happened BEFORE the alert.</div>
<div><br>
</div>
<div>See attached. It uses a telnet session to alert on the SYN flag, then logs traffic for the next second. </div>
<div><br>
</div>
<div>I ran snort like this </div>
<div><br>
</div>
<div>"snort -c etc/snort/maxim.lua -r etc/snort/maxim.pcap -k none -l . “</div>
<div><br>
</div>
<div> which produced the pcap, alert, codec and unified log files.</div>
<div><br>
</div>
<div><br>
</div>
<div>Hope this helps.</div>
<div><br>
</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE">
<div>
<p class="MsoNormal" style="font-family:
                                  -webkit-standard; margin: 0in 0in
                                  0.0001pt; font-size: 11pt;">
<b><span style="font-size: 12pt;
                                      color: rgb(31, 73, 125);"><font face="Courier">Albert Lewis<o:p></o:p></font></span></b></p>
<p class="MsoNormal" style="font-family:
                                  -webkit-standard; margin: 0in 0in
                                  0.0001pt; font-size: 11pt;">
<font color="#7f7f7f">ENGINEER.SOFTWARE ENGINEERING</font></p>
<p class="MsoNormal" style="font-family:
                                  -webkit-standard; margin: 0in 0in
                                  0.0001pt; font-size: 11pt;">
<font face="Courier"><span style="color: rgb(153, 153, 153);
                                      font-size: 12pt;">SOURCE</span><b><span style="font-size: 12pt; color:
                                        red;">fire</span></b><span style="color: rgb(153, 153, 153);
                                      font-size: 12pt;">,
 Inc. </span><span style="color: rgb(136, 136, 136);
                                      font-size: 12pt;">now part of </span><b><span style="font-size: 12pt;"><font color="#00007f">Cisco</font></span></b></font></p>
<p class="MsoNormal" style="font-family:
                                  -webkit-standard; margin: 0in 0in
                                  0.0001pt; font-size: 11pt;">
<font face="Courier"><span style="font-size: 12pt; color:
                                      rgb(153, 153, 153);">Email: </span><span style="font-size: 12pt;"><a moz-do-not-send="true" href="mailto:allewi@...589..." style="color: purple;">allewi@...589...</a><span style="color: rgb(79, 129,
                                        189);"> </span></span></font></p>
</div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri;
                            font-size:12pt; text-align:left;
                            color:black; BORDER-BOTTOM: medium none;
                            BORDER-LEFT: medium none; PADDING-BOTTOM:
                            0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in;
                            BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT:
                            medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Maxim <<a moz-do-not-send="true" href="mailto:hittlle@...7427...">hittlle@...7427...</a>><br>
<span style="font-weight:bold">Date: </span>Thursday, January 5, 2017 at 9:41 PM<br>
<span style="font-weight:bold">To: </span>allewi <<a moz-do-not-send="true" href="mailto:allewi@...589...">allewi@...589...</a>><br>
<span style="font-weight:bold">Cc: </span>'snort-users' <<a moz-do-not-send="true" href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a>><br>
<span style="font-weight:bold">Subject: </span>Re:Re: [SUSPECTED SPAM] [Snort-users] snort3.0 doesn't log the triggering packet of an alert<br>
</div>
<div><br>
</div>
<span style="mso-bookmark:_MailOriginalBody">
<div>
<div>
<div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial">
<div>Hi Albert,</div>
<div>Thanks for your help. Attached please kindly find my snort.lua. My question is not that snort doesn't record any packets to unified2 file, but the first packet that triggeres the alert. What I am doing is this: if a packet fire a rule, tell snort to record
 the bidirectional packets (packets belonging to the same session) of that session. So, I write the following rule:</div>
<div><br>
</div>
<div>             alert tcp any any -> any 80 ( msg:"test-http-req-body"; content:"abc";http_client_body; flowbits:isnotset,105;flowbits:set,105;tag:session;sid: 105;rev:1;)</div>
<div><br>
</div>
<div>As you can see, I used flowbits and tag:session to accomplish this. And ran snort this way:</div>
<div>            /opt/snort3.0/bin/snort -c /var/log/snort/snort.lua -i eth0 -D -l /var/log/snort/</div>
<div><br>
</div>
<div><span style="line-height: 1.7;">As you can see from the attached unified2 log file, I can see the alert, and the HTTP response packet. But I cannot find the request packet payload information there. Am I missing something here? Thanks.</span></div>
<div>       </div>
<br>
<br>
<br>
<br>
<br>
At 2017-01-05 19:17:23, "Al Lewis (allewi)" <<a moz-do-not-send="true" href="mailto:allewi@...589...">allewi@...589...</a>> wrote:<br>
<blockquote id="isReplyContent" style="PADDING-LEFT: 1ex; MARGIN:
                                    0px 0px 0px 0.8ex; BORDER-LEFT: #ccc
                                    1px solid">
<div>
<div>Hello Maxim,</div>
<div><br>
</div>
<div><span class="Apple-tab-span" style="white-space:pre"></span>Please see the section under the snort3 manual for loggers:</div>
<div><br>
</div>
<div><a moz-do-not-send="true" href="https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/004/860/original/snort_manual.html?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1483618124&Signature=4RZ4GTblHk9jmFlDhjHddxo%2BA28%3D#_logger_modules">https://s3.amazonaws.com/snort-org-site/production/release_files/files/000/004/860/original/snort_manual.html?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1483618124&Signature=4RZ4GTblHk9jmFlDhjHddxo%2BA28%3D#_logger_modules</a></div>
<div><br>
</div>
<div><br>
</div>
<div>Its impossible to say what the issue is without a copy of your configuration. </div>
<div><br>
</div>
<div>Attached is a basic config that should log any tcp packet.</div>
<div><br>
</div>
<div>All I did was run it with this below:</div>
<div><br>
</div>
<div>./bin/snort -c etc/snort/maxim.lua -r /home/alewis/Downloads/CURL.pcap -l .</div>
<div><br>
</div>
<div><br>
</div>
<div>And it produced log files as these (unified log is there):</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>alewis@...17722...:/var/tmp/snort++$ ls</div>
<div>alert_full.txt  bin  core  etc  include  lib  log_codecs.txt  share  unified2.log</div>
<div>alewis@...17722...:/var/tmp/snort++$ </div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div id="">
<div>
<p class="MsoNormal" style="font-family:
                                              -webkit-standard; margin:
                                              0in 0in 0.0001pt;
                                              font-size: 11pt;">
<b><span style="font-size:
                                                  12pt; color: rgb(31,
                                                  73, 125);"><font face="Courier">Albert Lewis<o:p></o:p></font></span></b></p>
<p class="MsoNormal" style="font-family:
                                              -webkit-standard; margin:
                                              0in 0in 0.0001pt;
                                              font-size: 11pt;">
<font color="#7f7f7f">ENGINEER.SOFTWARE ENGINEERING</font></p>
<p class="MsoNormal" style="font-family:
                                              -webkit-standard; margin:
                                              0in 0in 0.0001pt;
                                              font-size: 11pt;">
<font face="Courier"><span style="color: rgb(153,
                                                  153, 153); font-size:
                                                  12pt;">SOURCE</span><b><span style="font-size:
                                                    12pt; color: red;">fire</span></b><span style="color: rgb(153,
                                                  153, 153); font-size:
                                                  12pt;">,
 Inc. </span><span style="color: rgb(136,
                                                  136, 136); font-size:
                                                  12pt;">now part of </span><b><span style="font-size:
                                                    12pt;"><font color="#00007f">Cisco</font></span></b></font></p>
<p class="MsoNormal" style="font-family:
                                              -webkit-standard; margin:
                                              0in 0in 0.0001pt;
                                              font-size: 11pt;">
<font face="Courier"><span style="font-size:
                                                  12pt; color: rgb(153,
                                                  153, 153);">Email: </span><span style="font-size:
                                                  12pt;"><a moz-do-not-send="true" href="mailto:allewi@...589..." style="color: purple;">allewi@...589...</a><span style="color:
                                                    rgb(79, 129, 189);"> </span></span></font></p>
</div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri;
                                        font-size:12pt; text-align:left;
                                        color:black; BORDER-BOTTOM:
                                        medium none; BORDER-LEFT: medium
                                        none; PADDING-BOTTOM: 0in;
                                        PADDING-LEFT: 0in;
                                        PADDING-RIGHT: 0in; BORDER-TOP:
                                        #b5c4df 1pt solid; BORDER-RIGHT:
                                        medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Maxim <<a moz-do-not-send="true" href="mailto:hittlle@...7427...">hittlle@...7427...</a>><br>
<span style="font-weight:bold">Date: </span>Thursday, January 5, 2017 at 3:19 AM<br>
<span style="font-weight:bold">To: </span>'snort-users' <<a moz-do-not-send="true" href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a>><br>
<span style="font-weight:bold">Subject: </span>[SUSPECTED SPAM] [Snort-users] snort3.0 doesn't log the triggering packet of an alert<br>
</div>
<div><br>
</div>
<span style="mso-bookmark:_MailOriginalBody">
<div>
<div>
<div style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial">
<div>Hi snort experts,</div>
<div>    I just tried snort 3.0, and found that it doesn't log the triggering packet of an alert if I use unified2 logger. Is it a bug or am I missing any required configurations? It's very different from snort 2.9.8.0. Many thanks.</div>
</div>
<br>
<br>
<span title="neteasefooter">
<p> </p>
</span></div>
</div>
</span></span></blockquote>
</div>
<br>
<br>
<span title="neteasefooter">
<p> </p>
</span></div>
</div>
</span></span></blockquote>
</div>
<br>
<br>
<span title="neteasefooter">
<p> </p>
</span></blockquote>
</div>
<br>
<br>
<span title="neteasefooter">
<div id="netease_mail_footer">
<div style="border-top:#CCC 1px solid;padding:10px
                      5px;font-size:15px;color:#777;line-height:22px">
<a moz-do-not-send="true" href="http://you.163.com/item/detail?id=1043019&from=web_gg_mail_jiaobiao_7" target="_blank" style="color:#3366FF;text-decoration:none">【网易自营|30天无忧退货】MUJI同款日式简约名片盒严选价仅29元,马上入>></a>    </div>
</div>
</span><br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://sdm.link/slashdot">http://sdm.link/slashdot</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">_______________________________________________
Snort-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a>

Please visit <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://sdm.link/slashdot">http://sdm.link/slashdot</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">_______________________________________________
Snort-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a>

Please visit <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!</pre>
</blockquote>
<br>
</blockquote>
</div>
<br>
<br>
<span title="neteasefooter">
<p> </p>
</span></blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. <a class="moz-txt-link-freetext" href="http://sdm.link/xeonphi">http://sdm.link/xeonphi</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">_______________________________________________
Snort-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a>
Snort-users list archive:
<a class="moz-txt-link-freetext" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a>

Please visit <a class="moz-txt-link-freetext" href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!</pre>
</blockquote>
<br>
</body>
</html>