Snort mailing list archives
u2 format differences from 2.9.8.0 to 2.9.8.2
From: Avery Rozar <avery.rozar () insecure-it com>
Date: Sat, 25 Jun 2016 11:32:07 -0400
I've run into some issues with Barnyard2 adding data into my database, even with appid disabled. Using hexdump to look at the snort.log file, it seems a bit diffrent in 2.9.8.2 vs 2.9.8.0. I'm curious if there was a change that is causing Barnyard2 to not fully read the u2 file like it used to. I noticed an asterisk (*) between events now. Maybe its just how hexdump is reading the two diffrent u2 files I'm not sure... I wrote a python script to parse u2 files back around Snort 2.9.7.6 and it is now missing all of the "events (Serial Unified2 Header # 104)" when parsing anything from 2.9.8.2. I can only assume that's also what Barnyard2 is missing. I'm only getting the "Serial Unified2 Header # 2" packets now. Example: *Snort 2.9.8.0 hexdump (it's a continuous hexdump)* 00000000 00 00 00 68 00 00 00 3c 00 00 00 00 00 00 00 01 |...h...<........| 00000010 56 df 51 72 00 08 8d 7e 00 00 3f ad 00 00 00 01 |V.Qr...~..?.....| 00000020 00 00 00 0e 00 00 00 09 00 00 00 01 42 3d aa 62 |............B=.b| 00000030 c0 a8 ac 20 00 50 11 91 06 20 00 01 00 00 00 00 |... .P... ......| 00000040 00 00 00 00 00 00 00 02 00 00 05 b6 00 00 00 00 |................| 00000050 00 00 00 01 56 df 51 72 56 df 51 72 00 08 8d 7e |....V.QrV.Qr...~| 00000060 00 00 00 01 00 00 05 9a f8 b1 56 3e d7 05 70 e4 |..........V>..p.| 00000070 22 85 6c f7 08 00 45 00 05 8c ac ac 40 00 39 06 |".l...E.....@ .9.| 00000080 36 57 42 3d aa 62 c0 a8 ac 20 00 50 11 91 d4 0c |6WB=.b... .P....| 00000090 1f 99 c7 f8 1c 4a 50 10 74 70 40 94 00 00 48 54 |.....JP.tp@ ...HT| 000000a0 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 |TP/1.1 200 OK..S| 000000b0 65 72 76 65 72 3a 20 6e 67 69 6e 78 2f 31 2e 36 |erver: nginx/1.6| 000000c0 2e 32 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 |.2..Content-Type| 000000d0 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d |: application/x-| 000000e0 6a 61 76 61 73 63 72 69 70 74 0d 0a 45 78 70 69 |javascript..Expi| 000000f0 72 65 73 3a 20 57 65 64 2c 20 30 39 20 4d 61 72 |res: Wed, 09 Mar| 00000100 20 32 30 31 36 20 32 33 3a 35 34 3a 34 39 20 47 | 2016 23:54:49 G| 00000110 4d 54 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f |MT..Cache-Contro| 00000120 6c 3a 20 6d 61 78 2d 61 67 65 3d 38 36 34 30 30 |l: max-age=86400| 00000130 0d 0a 43 6f 6e 74 65 6e 74 2d 45 6e 63 6f 64 69 |..Content-Encodi| 00000140 6e 67 3a 20 67 7a 69 70 0d 0a 43 6f 6e 74 65 6e |ng: gzip..Conten| 00000150 74 2d 4c 65 6e 67 74 68 3a 20 33 34 31 30 33 0d |t-Length: 34103.| 00000160 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 39 20 4d |.Date: Wed, 09 M| 00000170 61 72 20 32 30 31 36 20 30 30 3a 32 37 3a 33 34 |ar 2016 00:27:34| 00000180 20 47 4d 54 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e | GMT..Connection| 00000190 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 |: keep-alive..Va| 000001a0 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 |ry: Accept-Encod| 000001b0 69 6e 67 0d 0a 0d 0a 1f 8b 08 00 00 00 00 00 00 |ing.............| *Snort 2.9.8.2 (It has the "*" in the file)* 00000000 00 00 00 6f 00 00 00 7c 00 00 00 00 00 00 00 01 |...o...|........| 00000010 57 6e 99 a4 00 0d 69 33 00 0f 42 42 00 00 00 01 |Wn....i3..BB....| 00000020 00 00 00 01 00 00 00 1c 00 00 00 01 ac 1f fe 98 |................| 00000030 ac 1f fb 0a ee 0a 00 50 06 20 00 01 00 00 00 00 |.......P. ......| 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000080 00 00 00 00 00 00 00 02 00 00 02 f5 00 00 00 00 |................| 00000090 00 00 00 01 57 6e 99 a4 57 6e 99 a4 00 0d 69 33 |....Wn..Wn....i3| 000000a0 00 00 00 01 00 00 02 d9 00 50 56 bc 8f 72 d0 d0 |.........PV..r..| 000000b0 fd 27 4e 47 08 00 45 00 02 cb 72 15 40 00 3f 06 |.'NG..E...r.@ .?.| 000000c0 75 35 ac 1f fe 98 ac 1f fb 0a ee 0a 00 50 18 1c |u5...........P..| 000000d0 c0 ec 3e 91 d2 23 80 18 10 15 28 3c 00 00 01 01 |..>..#....(<....| 000000e0 08 0a 39 f5 dd 29 71 48 16 ad 47 45 54 20 2f 77 |..9..)qH..GET /w| 000000f0 70 2d 61 64 6d 69 6e 2f 20 48 54 54 50 2f 31 2e |p-admin/ HTTP/1.| 00000100 31 0d 0a 48 6f 73 74 3a 20 77 77 77 2e 69 6e 73 |1..Host: www.ins| 00000110 65 63 75 72 65 2d 69 74 2e 63 6f 6d 0d 0a 43 6f |ecure-it.com..Co| 00000120 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 |nnection: keep-a| 00000130 6c 69 76 65 0d 0a 55 70 67 72 61 64 65 2d 49 6e |live..Upgrade-In| 00000140 73 65 63 75 72 65 2d 52 65 71 75 65 73 74 73 3a |secure-Requests:| 00000150 20 31 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 | 1..User-Agent: | 00000160 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4d 61 63 |Mozilla/5.0 (Mac| 00000170 69 6e 74 6f 73 68 3b 20 49 6e 74 65 6c 20 4d 61 |intosh; Intel Ma| 00000180 63 20 4f 53 20 58 20 31 30 5f 31 31 5f 35 29 20 |c OS X 10_11_5) | 00000190 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e |AppleWebKit/537.| 000001a0 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 |36 (KHTML, like | 000001b0 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 35 31 |Gecko) Chrome/51| 000001c0 2e 30 2e 32 37 30 34 2e 31 30 33 20 53 61 66 61 |.0.2704.103 Safa| 000001d0 72 69 2f 35 33 37 2e 33 36 0d 0a 41 63 63 65 70 |ri/537.36..Accep| 000001e0 74 3a 20 74 65 78 74 2f 68 74 6d 6c 2c 61 70 70 |t: text/html,app| 000001f0 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 |lication/xhtml+x| 00000200 6d 6c 2c 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 |ml,application/x| 00000210 6d 6c 3b 71 3d 30 2e 39 2c 69 6d 61 67 65 2f 77 |ml;q=0.9,image/w| 00000220 65 62 70 2c 2a 2f 2a 3b 71 3d 30 2e 38 0d 0a 41 |ebp,*/*;q=0.8..A| 00000230 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 |ccept-Encoding: | 00000240 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 2c 20 73 |gzip, deflate, s| 00000250 64 63 68 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 |dch..Accept-Lang| 00000260 75 61 67 65 3a 20 65 6e 2d 55 53 2c 65 6e 3b 71 |uage: en-US,en;q| 00000270 3d 30 2e 38 0d 0a 43 6f 6f 6b 69 65 3a 20 50 48 |=0.8..Cookie: PH| 00000280 50 53 45 53 53 49 44 3d 39 71 6e 67 62 76 74 6d |PSESSID=9qngbvtm| 00000290 32 71 6f 33 61 30 64 66 63 64 72 72 70 63 32 76 |2qo3a0dfcdrrpc2v| 000002a0 72 34 3b 20 77 6f 72 64 70 72 65 73 73 5f 74 65 |r4; wordpress_te| 000002b0 73 74 5f 63 6f 6f 6b 69 65 3d 57 50 2b 43 6f 6f |st_cookie=WP+Coo| 000002c0 6b 69 65 2b 63 68 65 63 6b 3b 20 4e 43 53 5f 49 |kie+check; NCS_I| 000002d0 4e 45 4e 54 49 4d 3d 31 34 36 36 38 36 32 39 31 |NENTIM=146686291| 000002e0 31 3b 20 4a 43 53 5f 49 4e 45 4e 54 49 4d 3d 31 |1; JCS_INENTIM=1| 000002f0 34 36 36 38 36 32 37 30 34 37 30 36 3b 20 33 38 |466862704706; 38| 00000300 39 61 65 32 31 30 30 34 30 61 62 37 35 30 63 31 |9ae210040ab750c1| 00000310 35 62 33 65 62 32 33 61 62 36 65 34 37 38 3d 39 |5b3eb23ab6e478=9| 00000320 30 30 37 61 65 61 35 36 66 61 61 34 34 61 66 32 |007aea56faa44af2| 00000330 62 38 61 61 33 37 33 64 66 65 33 31 62 37 66 3b |b8aa373dfe31b7f;| 00000340 20 53 4a 45 43 54 31 35 3d 43 4b 4f 4e 31 35 3b | SJECT15=CKON15;| 00000350 20 5f 67 61 3d 47 41 31 2e 32 2e 36 31 34 34 31 | _ga=GA1.2.61441| 00000360 34 36 32 32 2e 31 34 36 30 30 37 33 33 33 34 3b |4622.1460073334;| 00000370 20 4a 43 53 5f 49 4e 45 4e 52 45 46 3d 0d 0a 0d | JCS_INENREF=...| 00000380 0a 00 00 00 6f 00 00 00 7c 00 00 00 00 00 00 00 |....o...|.......| 00000390 02 57 6e 99 a4 00 0d 6f 42 00 0f 42 42 00 00 00 |.Wn....oB..BB...| 000003a0 01 00 00 00 01 00 00 00 1c 00 00 00 01 ac 1f fe |................| 000003b0 98 ac 1f fb 0a ee 0b 00 50 06 20 00 01 00 00 00 |........P. .....| 000003c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * Thanks, Avery
------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- u2 format differences from 2.9.8.0 to 2.9.8.2 Avery Rozar (Jun 25)
- Re: u2 format differences from 2.9.8.0 to 2.9.8.2 Y M (Jun 25)
- Re: u2 format differences from 2.9.8.0 to 2.9.8.2 Avery Rozar (Jun 25)
- Re: u2 format differences from 2.9.8.0 to 2.9.8.2 Avery Rozar (Jun 25)
- Re: u2 format differences from 2.9.8.0 to 2.9.8.2 Avery Rozar (Jun 25)
- Re: u2 format differences from 2.9.8.0 to 2.9.8.2 Y M (Jun 25)