Snort mailing list archives

Double logging in alert_fast

From: Zultan <zultan () mad scientist com>
Date: Fri, 16 Sep 2005 04:22:03 +0000
I know ASCII logging bad, and that binary logging would be much better for this, but still, I need to do it.   Also 
according to the archives, this was an issue before 1.8.1.

While trying to grab entire TCP sessions with a hostile IP, it logs each packet twice after the 3way handshake.  
Running 2.4 and testing from the command line with:

snort -d -i eth0 -l ./log -m 027 -y -c ./host-svr.rules

----------------
host-svr.rules is:
----------------

var HOME_NET [x.x.x.x/32]
var EXTERNAL_NET any
include ./class.config
output alert_fast: alert

var HOSTILE_SVRS [IPaddress/32]

alert tcp $HOME_NET any -> $HOSTILE_SVRS any (msg:"SYN to HOSTILE server";flags:S;)
alert tcp $HOSTILE_SVRS any -> $HOME_NET any (msg:"SYN/ACK from HOSTILE server"; flags:SA;)
log tcp $HOSTILE_SVRS any <>  $HOME_NET any (flow:established; tag:session,5000,packets;)

------------
ASCII log sample, note the timestamps
------------

[**] SYN to HOSTILE server [**]
09/16/05-12:46:04.475880 x.x.x.x:x -> x.x.x.x:x
TCP TTL:64 TOS:0x0 ID:43668 IpLen:20 DgmLen:60 DF
******S* Seq: 0x1C795A8  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 350830396 0 NOP WS: 2

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SYN/ACK from HOSTILE server [**]
09/16/05-12:46:04.478810 x.x.x.x:x -> x.x.x.x:x
TCP TTL:61 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x3A06EAD6  Ack: 0x1C795A9  Win: 0x16A0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 289010954 350830396 NOP
TCP Options => WS: 0

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/16/05-12:46:04.478868 x.x.x.x:x -> x.x.x.x:x
TCP TTL:64 TOS:0x0 ID:43670 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x1C795A9  Ack: 0x3A06EAD7  Win: 0x5B4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 350830399 289010954

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Tagged Packet [**]
09/16/05-12:46:04.482715 x.x.x.x:x -> x.x.x.x:x
TCP TTL:64 TOS:0x0 ID:43672 IpLen:20 DgmLen:172 DF
***AP*** Seq: 0x1C795A9  Ack: 0x3A06EAD7  Win: 0x5B4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 350830403 289010954
16 03 01 00 73 01 00 00 6F 03 01 00 17 D1 64 08  ....s...o.....d.
F0 DC 67 77 A6 60 BD 1B 2B C6 70 73 01 7A A8 81  ..gw.`..+.ps.z..
CB 80 29 16 F4 06 E0 18 99 57 7B 20 6C 25 C2 3F  ..)......W{ l%.?
C1 CA FE 1D 5B 6F CE D5 63 E2 12 63 0C F8 2F 92  ....[o..c..c../.
72 A3 F9 88 74 5A E3 AA D2 92 CB FE 00 28 00 39  r...tZ.......(.9
00 38 00 35 00 33 00 32 00 04 00 05 00 2F 00 16  .8.5.3.2...../..
00 13 FE FF 00 0A 00 15 00 12 FE FE 00 09 00 64  ...............d
00 62 00 03 00 06 01 00                          .b......

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/16/05-12:46:04.482715 x.x.x.x:x -> x.x.x.x:x
TCP TTL:64 TOS:0x0 ID:43672 IpLen:20 DgmLen:172 DF
***AP*** Seq: 0x1C795A9  Ack: 0x3A06EAD7  Win: 0x5B4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 350830403 289010954
16 03 01 00 73 01 00 00 6F 03 01 00 17 D1 64 08  ....s...o.....d.
F0 DC 67 77 A6 60 BD 1B 2B C6 70 73 01 7A A8 81  ..gw.`..+.ps.z..
CB 80 29 16 F4 06 E0 18 99 57 7B 20 6C 25 C2 3F  ..)......W{ l%.?
C1 CA FE 1D 5B 6F CE D5 63 E2 12 63 0C F8 2F 92  ....[o..c..c../.
72 A3 F9 88 74 5A E3 AA D2 92 CB FE 00 28 00 39  r...tZ.......(.9
00 38 00 35 00 33 00 32 00 04 00 05 00 2F 00 16  .8.5.3.2...../..
00 13 FE FF 00 0A 00 15 00 12 FE FE 00 09 00 64  ...............d
00 62 00 03 00 06 01 00                          .b......

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Tagged Packet [**]
09/16/05-12:46:04.485052 x.x.x.x:x -> x.x.x.x:x
TCP TTL:61 TOS:0x0 ID:8156 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x3A06EAD7  Ack: 0x1C79621  Win: 0x16A0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 289010955 350830403

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/16/05-12:46:04.485052 x.x.x.x:x -> x.x.x.x:x
TCP TTL:61 TOS:0x0 ID:8156 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x3A06EAD7  Ack: 0x1C79621  Win: 0x16A0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 289010955 350830403

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Tagged Packet [**]
09/16/05-12:46:04.485627 x.x.x.x:x -> x.x.x.x:x
TCP TTL:61 TOS:0x0 ID:8157 IpLen:20 DgmLen:190 DF
***AP*** Seq: 0x3A06EAD7  Ack: 0x1C79621  Win: 0x16A0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 289010955 350830403
16 03 01 00 4A 02 00 00 46 03 01 43 2A 3F FC 5A  ....J...F..C*?.Z
50 74 31 9F 8D F3 8F 57 9E 4D DD 62 A4 4C 5F 71  Pt1....W.M.b.L_q
9E B9 0A 4B FC 9B E2 A2 39 DE 7D 20 6C 25 C2 3F  ...K....9.} l%.?
C1 CA FE 1D 5B 6F CE D5 63 E2 12 63 0C F8 2F 92  ....[o..c..c../.
72 A3 F9 88 74 5A E3 AA D2 92 CB FE 00 39 00 14  r...tZ.......9..
03 01 00 01 01 16 03 01 00 30 74 05 1B A4 A5 CC  .........0t.....
E9 17 8A 4A B8 94 EE CC 82 28 90 07 16 44 B7 FE  ...J.....(...D..
3C F0 72 48 48 89 AE EB D4 1A E0 C5 E5 2F F1 CE  <.rHH......../..
BD F2 72 56 41 8E D1 94 CA E4                    ..rVA.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/16/05-12:46:04.485627 x.x.x.x:x -> x.x.x.x:x
TCP TTL:61 TOS:0x0 ID:8157 IpLen:20 DgmLen:190 DF
***AP*** Seq: 0x3A06EAD7  Ack: 0x1C79621  Win: 0x16A0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 289010955 350830403
16 03 01 00 4A 02 00 00 46 03 01 43 2A 3F FC 5A  ....J...F..C*?.Z
50 74 31 9F 8D F3 8F 57 9E 4D DD 62 A4 4C 5F 71  Pt1....W.M.b.L_q
9E B9 0A 4B FC 9B E2 A2 39 DE 7D 20 6C 25 C2 3F  ...K....9.} l%.?
C1 CA FE 1D 5B 6F CE D5 63 E2 12 63 0C F8 2F 92  ....[o..c..c../.
72 A3 F9 88 74 5A E3 AA D2 92 CB FE 00 39 00 14  r...tZ.......9..
03 01 00 01 01 16 03 01 00 30 74 05 1B A4 A5 CC  .........0t.....
E9 17 8A 4A B8 94 EE CC 82 28 90 07 16 44 B7 FE  ...J.....(...D..
3C F0 72 48 48 89 AE EB D4 1A E0 C5 E5 2F F1 CE  <.rHH......../..
BD F2 72 56 41 8E D1 94 CA E4                    ..rVA.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+




-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Double logging in alert_fast Zultan (Sep 15)