Snort mailing list archives
Re: missing pcaps for alerts
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 25 Oct 2011 18:04:59 -0400
Devel is currently working on a beta release of the next version of Snort, so they are currently occupied. I know some are having difficulty right now, and we apologize for that, but we'll get to work on it soon. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Oct 25, 2011, at 5:05 PM, John Ives wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Any word on when devel will be able look into this. Unlike my reading of Eoin's problem, the traffic doesn't appear in the unified2 file either (I originally thought it did but upon further investigation I am not seeing it in either the pcap or the unified2 files). I have tried upgrading to 2.9.1.2 hoping that would fix the problem. At this point I am probably going to need to revert to 2.9.1.0 (which worked) to get everything working properly. Yours, John On 10/20/2011 10:50 AM, Joel Esler wrote:Devel is going to look into this, however, they are busy with two big things right now, and when they complete that, I'm sure they'll chime in with some needs to test this out. Thanks -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Oct 20, 2011, at 1:40 PM, Eoin Miller wrote:Hey Joel, I've been noticing this for a while but kept forgetting to get around to looking into it more in depth, I figured it was barnyard2 having an issue, but it does appear to be snorts logging output. If multiple alerts are firing on the same frame, Snort doesn't seem to re-log the frame correctly for multiple alerts: If we have a test set of 3 rules like below: alert tcp any any -> any any (msg:"MZ 1"; file_data; content:"MZ"; within:2; sid:1; rev:1;) alert tcp any any -> any any (msg:"MZ 2"; file_data; content:"MZ"; within:2; sid:2; rev:1;) alert tcp any any -> any any (msg:"MZ 3"; file_data; content:"MZ"; within:2; sid:3; rev:1;) Now we run them against a PCAP of a user downloading an executable file, it alerts 3 times as expected in our fast alert output log. However, in the unified2 log, we have the following at the beginning of the file when we run the u2spewfoo binary against it: ---BEGIN--- (Event) sensor id: 0 event id: 1 event second: 1319130108 event microsecond: 745191 sig id: 3 gen id: 1 revision: 1 classification: 0 priority: 0 ip source: 71.191.147.210 ip destination: 10.181.188.73 src port: 80 dest port: 64916 protocol: 6 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 1 event second: 1319130108 packet second: 1319130108 packet microsecond: 745191 linktype: 1 packet_length: 1514 00 00 5E 00 01 02 00 10 DB FF 26 00 08 00 45 00 ..^.......&...E. 05 DC 28 A0 40 00 38 06 71 EC 47 BF 93 D2 0A B5 ..(.@.8.q.G..... BC 49 00 50 FD 94 2E 8F 54 A2 FC 56 2E AC 50 10 .I.P....T..V..P. 00 6C C1 9A 00 00 48 54 54 50 2F 31 2E 31 20 32 .l....HTTP/1.1 2 30 30 20 4F 4B 0D 0A 44 61 74 65 3A 20 54 68 75 00 OK..Date: Thu 2C 20 32 30 20 4F 63 74 20 32 30 31 31 20 31 37 , 20 Oct 2011 17 3A 31 34 3A 30 39 20 47 4D 54 0D 0A 53 65 72 76 :14:09 GMT..Serv 65 72 3A 20 41 70 61 63 68 65 2F 32 2E 32 2E 31 er: Apache/2.2.1 34 20 28 55 62 75 6E 74 75 29 0D 0A 4C 61 73 74 4 (Ubuntu)..Last 2D 4D 6F 64 69 66 69 65 64 3A 20 54 68 75 2C 20 -Modified: Thu, 31 38 20 41 75 67 20 32 30 31 31 20 30 30 3A 34 18 Aug 2011 00:4 32 3A 31 33 20 47 4D 54 0D 0A 45 54 61 67 3A 20 2:13 GMT..ETag: 22 31 38 36 36 30 33 2D 34 30 65 30 30 2D 34 61 "186603-40e00-4a 61 62 63 65 32 34 37 30 32 37 66 22 0D 0A 41 63 abce247027f"..Ac 63 65 70 74 2D 52 61 6E 67 65 73 3A 20 62 79 74 cept-Ranges: byt 65 73 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 es..Content-Leng 74 68 3A 20 32 36 35 37 32 38 0D 0A 4B 65 65 70 th: 265728..Keep 2D 41 6C 69 76 65 3A 20 74 69 6D 65 6F 75 74 3D -Alive: timeout= 31 35 2C 20 6D 61 78 3D 31 30 30 0D 0A 43 6F 6E 15, max=100..Con 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C nection: Keep-Al 69 76 65 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 ive..Content-Typ 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 e: application/x 2D 6D 73 64 6F 73 2D 70 72 6F 67 72 61 6D 0D 0A -msdos-program.. 0D 0A 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF ..MZ............ 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 ..........@..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 ................ 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 ..........!..L.! 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E This program can 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F not be run in DO 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 S mode....$..... ---SNIP--- After this alert and packet, there are 11 more subsequent packets logged. However, the other two events have NO packets with them as we can see below from the end of the output: ---SNIP--- E0 8B 00 85 C0 74 02 FF D0 83 45 E0 04 EB E6 C7 .....t....E..... 45 FC FE FF FF FF E8 20 00 00 E...... .. (Event) sensor id: 0 event id: 2 event second: 1319130108 event microsecond: 745191 sig id: 2 gen id: 1 revision: 1 classification: 0 priority: 0 ip source: 71.191.147.210 ip destination: 10.181.188.73 src port: 80 dest port: 64916 protocol: 6 impact_flag: 0 blocked: 0 (Event) sensor id: 0 event id: 3 event second: 1319130108 event microsecond: 745191 sig id: 1 gen id: 1 revision: 1 classification: 0 priority: 0 ip source: 71.191.147.210 ip destination: 10.181.188.73 src port: 80 dest port: 64916 protocol: 6 impact_flag: 0 blocked: 0 ---END--- -- Eoin------------------------------------------------------------------------------The demand for IT networking professionals continues to grow, and thedemand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!- -- - ------------------------------------------------------------------------- John Ives System & Network Security Phone (510) 229-8676 University of California, Berkeley - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOpySCAAoJEJkidK6qbywsRlEH/3FFQo3bNIXwRCZ7o3lhG9HB 7BxnId339Ks86qWkgz0AgwoI/NDSAVa6XKqMaoMtEVoa1fpd8Ysl061qbQ5RyNow QPNc+Euy0Ovt7OhYPTjn70eZi+laQiSnDGoa58DUpMw8dAGXvR9z6ycKEXoERm+C QYxGLD1wWOoWWKCu4bDzmInzwbY3xesNNvFYBoBskF3/0kXeqWOWwyjDBYvmSCpB GIhvXccBwo0rHAhSPG1x6/LRaXm7gWWwvwu+umItbQkREG7tzjE/uV0+fFMpmUdj Dn23W67oVoIUkywe2EOD2iFChzjMmFUHcHTjTYwNQYbZcT00GInCbLq8NuC2iZQ= =GT9t -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 18)
- Re: missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 19)
- Re: missing pcaps for alerts John Ives (Oct 19)
- Re: missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 18)
- Re: missing pcaps for alerts Eoin Miller (Oct 20)
- Re: missing pcaps for alerts Joel Esler (Oct 20)
- Re: missing pcaps for alerts John Ives (Oct 25)
- Re: missing pcaps for alerts Joel Esler (Oct 25)
- Re: missing pcaps for alerts Joel Esler (Oct 20)