Re: Fwd: Re: barnyard2-1.10 major problem

["Lawrence R. Hughes, Sr." <lhughes () safemedia com>]

Beenph,

snort did not break the following into two (2) different events unified2 
output from snort.log:

(Event)
        sensor id: 0    event id: 1     event second: 1350903278 
event mi
crosecond: 178786
        sig id: 2805523 gen id: 1       revision: 1      classification: 21
        priority: 1     ip source: 172.25.236.179       ip destination: 
207.171.
163.31
        src port: 4926  dest port: 80   protocol: 6     impact_flag: 0 
blocked:
 0

Packet
        sensor id: 0    event id: 1     event second: 1350903278
        packet second: 1350903278       packet microsecond: 178786
        linktype: 1     packet_length: 449
[    0] 00 0E 0C C1 D5 7B 00 0D 66 DC D0 00 08 00 45 00  .....{..f.....E.
[   16] 01 B3 7F 06 40 00 40 06 AE A6 AC 19 EC B3 CF AB  ....@.@.........
[   32] A3 1F 13 3E 00 50 41 49 60 BC AA E5 94 90 50 18  ...>.PAI`.....P.
[   48] 19 20 84 D8 00 00 47 45 54 20 2F 69 6E 73 74 61  . ....GET /insta
[   64] 6C 6C 65 72 2E 67 69 66 3F 61 63 74 69 6F 6E 3D  ller.gif?action=
[   80] 66 69 6E 69 73 68 65 64 26 62 72 6F 77 73 65 72  finished&browser
[   96] 3D 69 65 37 26 76 65 72 3D 31 5F 32 33 5F 31 35  =ie7&ver=1_23_15
[  112] 31 5F 31 35 31 26 62 69 63 3D 44 36 44 44 36 46  1_151&bic=D6DD6F
[  128] 43 43 43 36 33 38 34 43 42 46 41 43 33 32 32 32  CCC6384CBFAC3222
[  144] 34 39 41 33 31 33 36 44 37 31 49 45 26 61 70 70  49A3136D71IE&app
[  160] 3D 34 34 39 33 26 61 70 70 76 65 72 3D 34 30 26  =4493&appver=40&
[  176] 76 65 72 69 66 69 65 72 3D 31 63 36 32 66 61 39  verifier=1c62fa9
[  192] 61 34 61 33 36 33 32 34 63 33 36 35 38 34 64 38  a4a36324c36584d8
[  208] 31 34 35 39 65 33 36 62 32 26 73 72 63 69 64 3D  1459e36b2&srcid=
[  224] 38 38 39 37 34 26 73 75 62 69 64 3D 64 65 66 61  88974&subid=defa
[  240] 75 6C 74 26 7A 64 61 74 61 3D 38 38 39 37 34 26  ult&zdata=88974&
[  256] 73 75 62 69 64 3D 26 70 69 64 3D 31 33 32 32 26  subid=&pid=1322&
[  272] 66 66 3D 30 5F 38 35 26 63 68 3D 31 5F 32 30 5F  ff=0_85&ch=1_20_
[  288] 33 37 26 64 65 66 61 75 6C 74 3D 69 65 26 6F 73  37&default=ie&os
[  304] 3D 58 50 26 61 64 6D 69 6E 3D 31 26 74 79 70 65  =XP&admin=1&type
[  320] 3D 31 32 34 31 37 26 61 73 77 3D 30 20 48 54 54  =12417&asw=0 HTT
[  336] 50 2F 31 2E 30 0D 0A 55 73 65 72 2D 41 67 65 6E  P/1.0..User-Agen
[  352] 74 3A 20 4E 53 49 53 5F 49 6E 65 74 63 20 28 4D  t: NSIS_Inetc (M
[  368] 6F 7A 69 6C 6C 61 29 0D 0A 48 6F 73 74 3A 20 73  ozilla)..Host: s
[  384] 74 61 74 73 2E 63 72 6F 73 73 72 69 64 65 72 2E  tats.crossrider.
[  400] 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A  com..Connection:
[  416] 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 50 72 61   Keep-Alive..Pra
[  432] 67 6D 61 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 0D  gma: no-cache...
[  448] 0A                                               .

Packet
        sensor id: 0    event id: 1     event second: 1350903278
        packet second: 1350903278       packet microsecond: 300156
        linktype: 1     packet_length: 381
[    0] 00 0E 0C C1 D5 7B 00 0D 66 DC D0 00 08 00 45 00  .....{..f.....E.
[   16] 01 6F 7F 08 40 00 40 06 AE E8 AC 19 EC B3 CF AB  .o..@.@.........
[   32] A3 1F 13 3E 00 50 41 49 62 47 AA E5 96 5E 50 18  ...>.PAIbG...^P.
[   48] 1D 50 BB 8D 00 00 47 45 54 20 2F 61 70 70 73 2E  .P....GET /apps.
[   64] 67 69 66 3F 61 63 74 69 6F 6E 3D 69 6E 73 74 61  gif?action=insta
[   80] 6C 6C 26 62 72 6F 77 73 65 72 3D 69 65 37 26 76  ll&browser=ie7&v
[   96] 65 72 3D 31 5F 32 33 5F 31 35 31 5F 31 35 31 26  er=1_23_151_151&
[  112] 62 69 63 3D 44 36 44 44 36 46 43 43 43 36 33 38  bic=D6DD6FCCC638
[  128] 34 43 42 46 41 43 33 32 32 32 34 39 41 33 31 33  4CBFAC322249A313
[  144] 36 44 37 31 49 45 26 61 70 70 3D 34 34 39 33 26  6D71IE&app=4493&
[  160] 61 70 70 76 65 72 3D 34 30 26 76 65 72 69 66 69  appver=40&verifi
[  176] 65 72 3D 31 63 36 32 66 61 39 61 34 61 33 36 33  er=1c62fa9a4a363
[  192] 32 34 63 33 36 35 38 34 64 38 31 34 35 39 65 33  24c36584d81459e3
[  208] 36 62 32 26 69 6E 73 74 61 6C 6C 74 69 6D 65 3D  6b2&installtime=
[  224] 31 33 35 30 39 31 38 31 34 39 26 63 75 72 74 69  1350918149&curti
[  240] 6D 65 3D 31 33 35 30 39 31 38 31 34 39 26 6C 69  me=1350918149&li
[  256] 66 65 74 69 6D 65 3D 30 20 48 54 54 50 2F 31 2E  fetime=0 HTTP/1.
[  272] 30 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4E  0..User-Agent: N
[  288] 53 49 53 5F 49 6E 65 74 63 20 28 4D 6F 7A 69 6C  SIS_Inetc (Mozil
[  304] 6C 61 29 0D 0A 48 6F 73 74 3A 20 73 74 61 74 73  la)..Host: stats
[  320] 2E 63 72 6F 73 73 72 69 64 65 72 2E 63 6F 6D 0D  .crossrider.com.
[  336] 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65  .Connection: Kee
[  352] 70 2D 41 6C 69 76 65 0D 0A 50 72 61 67 6D 61 3A  p-Alive..Pragma:
[  368] 20 6E 6F 2D 63 61 63 68 65 0D 0A 0D 0A            no-cache....

There is one(1) event header and two (2) packets!

If snort wanted two (2) events it would have put two (2) event headers in 
the unified2 log file..

You have it all wrong beenph!
Just ask the guys at SF the above should be treated as a single event with 2 
packets.

When can you fix this in spooler.c???

Thanks,
Larry





----- Original Message ----- 
From: "beenph" <beenph () gmail com>
To: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Cc: <barnyard2-users () googlegroups com>; "snort-users" 
<snort-users () lists sourceforge net>
Sent: Thursday, October 25, 2012 12:02 PM
Subject: Re: [Snort-users] Fwd: Re: barnyard2-1.10 major problem


> On Thu, Oct 25, 2012 at 11:57 AM, Lawrence R. Hughes, Sr.
> <lhughes () safemedia com> wrote:
> > Beenph,
> >
> > So what I see and correct me if I am wrong, you take a single event from
> > snort that has 2 packets and create 2 seperate events in the database.
> >
> > So if i had a single event from snort that has 6 packets that are all 
> > listed
> > with the same event_id barnyard would create 6 events in snort.event
> > database correct?
> >
> > If this is the case, please explain why you would break the packets from 
> > a
> > single event into several events.
> Thats exact.
>
> We do not break anything up, it logged to the database as its present
> in the unified2 file
> UNIFIED2_RECORD_HEADER
> EVENT X
> UNIFIED2_RECORD_HEADER
> PACKET1  EVENT X
> UNIFIED2_RECORD_HEADER
> PACKET2  EVENT X
> UNIFIED2_RECORD_HEADER
> PACKETN EVENT X
>
> -elz


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!