Snort mailing list archives
Unified2 output without Details like TTL, Win Size
From: <fabio.hufschmid () post ch>
Date: Wed, 3 Apr 2013 10:11:06 +0000
Hi, I have a big problem. I renew your old snort infrastructure. This is the setup: Snort Sensor [unified2]->barnyard2 [output log_syslog_full]->Splunk [Output format] I show the content of the unified2 with u2spewfoo before I feed in to barnyard2. I see, there are not all information that are in the output alert.full. In the unified2 I miss this information: TCP TTL:62 TOS:0x0 ID:65250 IpLen:20 DgmLen:62 DF ***AP*** Seq: 0xD5A75D01 Ack: 0xEF97F853 Win: 0x73 TcpLen: 32 TCP Options (3) => NOP NOP TS: 4230522403 429387143 I thought, that in unified2 format are all information and I can output with barnyard2 to syslog. We need the information from alert.full with the payload that triggers the signature. How can I do that? More Details and the difference from different snort outputs: output unified2: filename /appl/sec/log/unified2.log, limit 128 (Event) sensor id: 0 event id: 4 event second: 1364982585 event microsecond: 817676 sig id: 4 gen id: 128 revision: 1 classification: 25 priority: 2 ip source: xxx.xxx.xxx.xxx ip destination: yyy.yyy.yyy.yyy src port: 40411 dest port: 22 protocol: 6 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 4 event second: 1364982585 packet second: 1364982585 packet microsecond: 817676 linktype: 1 packet_length: 75 [ 0] 00 22 64 FA 3A A6 00 1A E3 15 D0 00 08 00 45 00 ."d.:.........E. [ 16] 00 3D CE 06 40 00 3E 06 E5 57 AC 1B 21 21 AC 15 .=..@.>..W..!!.. [ 32] 10 0B 9D DB 00 16 B6 C4 56 F0 36 93 78 28 80 18 ........V.6.x(.. [ 48] 00 73 6A 59 00 00 01 01 08 0A FC 34 9A 59 19 A3 .sjY.......4.Y.. [ 64] E2 94 61 73 64 66 61 73 64 0D 0A ..asdfasd.. output alert_full: /appl/sec/log/alert.full [**] [128:4:1] (spp_ssh) Protocol mismatch [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] 04/03-11:49:45.817676 xxx.xxx.xxx.xxx:40411 -> yyy.yyy.yyy.yyy:22 TCP TTL:62 TOS:0x0 ID:52742 IpLen:20 DgmLen:61 DF ***AP*** Seq: 0xB6C456F0 Ack: 0x36937828 Win: 0x73 TcpLen: 32 TCP Options (3) => NOP NOP TS: 4231305817 430170772 Thx Neo ------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unified2 output without Details like TTL, Win Size fabio.hufschmid (Apr 03)