Snort mailing list archives
Double logging in alert_fast
From: Zultan <zultan () mad scientist com>
Date: Fri, 16 Sep 2005 04:22:03 +0000
I know ASCII logging bad, and that binary logging would be much better for this, but still, I need to do it. Also according to the archives, this was an issue before 1.8.1. While trying to grab entire TCP sessions with a hostile IP, it logs each packet twice after the 3way handshake. Running 2.4 and testing from the command line with: snort -d -i eth0 -l ./log -m 027 -y -c ./host-svr.rules ---------------- host-svr.rules is: ---------------- var HOME_NET [x.x.x.x/32] var EXTERNAL_NET any include ./class.config output alert_fast: alert var HOSTILE_SVRS [IPaddress/32] alert tcp $HOME_NET any -> $HOSTILE_SVRS any (msg:"SYN to HOSTILE server";flags:S;) alert tcp $HOSTILE_SVRS any -> $HOME_NET any (msg:"SYN/ACK from HOSTILE server"; flags:SA;) log tcp $HOSTILE_SVRS any <> $HOME_NET any (flow:established; tag:session,5000,packets;) ------------ ASCII log sample, note the timestamps ------------ [**] SYN to HOSTILE server [**] 09/16/05-12:46:04.475880 x.x.x.x:x -> x.x.x.x:x TCP TTL:64 TOS:0x0 ID:43668 IpLen:20 DgmLen:60 DF ******S* Seq: 0x1C795A8 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 350830396 0 NOP WS: 2 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] SYN/ACK from HOSTILE server [**] 09/16/05-12:46:04.478810 x.x.x.x:x -> x.x.x.x:x TCP TTL:61 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0x3A06EAD6 Ack: 0x1C795A9 Win: 0x16A0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 289010954 350830396 NOP TCP Options => WS: 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16/05-12:46:04.478868 x.x.x.x:x -> x.x.x.x:x TCP TTL:64 TOS:0x0 ID:43670 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x1C795A9 Ack: 0x3A06EAD7 Win: 0x5B4 TcpLen: 32 TCP Options (3) => NOP NOP TS: 350830399 289010954 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Tagged Packet [**] 09/16/05-12:46:04.482715 x.x.x.x:x -> x.x.x.x:x TCP TTL:64 TOS:0x0 ID:43672 IpLen:20 DgmLen:172 DF ***AP*** Seq: 0x1C795A9 Ack: 0x3A06EAD7 Win: 0x5B4 TcpLen: 32 TCP Options (3) => NOP NOP TS: 350830403 289010954 16 03 01 00 73 01 00 00 6F 03 01 00 17 D1 64 08 ....s...o.....d. F0 DC 67 77 A6 60 BD 1B 2B C6 70 73 01 7A A8 81 ..gw.`..+.ps.z.. CB 80 29 16 F4 06 E0 18 99 57 7B 20 6C 25 C2 3F ..)......W{ l%.? C1 CA FE 1D 5B 6F CE D5 63 E2 12 63 0C F8 2F 92 ....[o..c..c../. 72 A3 F9 88 74 5A E3 AA D2 92 CB FE 00 28 00 39 r...tZ.......(.9 00 38 00 35 00 33 00 32 00 04 00 05 00 2F 00 16 .8.5.3.2...../.. 00 13 FE FF 00 0A 00 15 00 12 FE FE 00 09 00 64 ...............d 00 62 00 03 00 06 01 00 .b...... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16/05-12:46:04.482715 x.x.x.x:x -> x.x.x.x:x TCP TTL:64 TOS:0x0 ID:43672 IpLen:20 DgmLen:172 DF ***AP*** Seq: 0x1C795A9 Ack: 0x3A06EAD7 Win: 0x5B4 TcpLen: 32 TCP Options (3) => NOP NOP TS: 350830403 289010954 16 03 01 00 73 01 00 00 6F 03 01 00 17 D1 64 08 ....s...o.....d. F0 DC 67 77 A6 60 BD 1B 2B C6 70 73 01 7A A8 81 ..gw.`..+.ps.z.. CB 80 29 16 F4 06 E0 18 99 57 7B 20 6C 25 C2 3F ..)......W{ l%.? C1 CA FE 1D 5B 6F CE D5 63 E2 12 63 0C F8 2F 92 ....[o..c..c../. 72 A3 F9 88 74 5A E3 AA D2 92 CB FE 00 28 00 39 r...tZ.......(.9 00 38 00 35 00 33 00 32 00 04 00 05 00 2F 00 16 .8.5.3.2...../.. 00 13 FE FF 00 0A 00 15 00 12 FE FE 00 09 00 64 ...............d 00 62 00 03 00 06 01 00 .b...... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Tagged Packet [**] 09/16/05-12:46:04.485052 x.x.x.x:x -> x.x.x.x:x TCP TTL:61 TOS:0x0 ID:8156 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x3A06EAD7 Ack: 0x1C79621 Win: 0x16A0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 289010955 350830403 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16/05-12:46:04.485052 x.x.x.x:x -> x.x.x.x:x TCP TTL:61 TOS:0x0 ID:8156 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x3A06EAD7 Ack: 0x1C79621 Win: 0x16A0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 289010955 350830403 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Tagged Packet [**] 09/16/05-12:46:04.485627 x.x.x.x:x -> x.x.x.x:x TCP TTL:61 TOS:0x0 ID:8157 IpLen:20 DgmLen:190 DF ***AP*** Seq: 0x3A06EAD7 Ack: 0x1C79621 Win: 0x16A0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 289010955 350830403 16 03 01 00 4A 02 00 00 46 03 01 43 2A 3F FC 5A ....J...F..C*?.Z 50 74 31 9F 8D F3 8F 57 9E 4D DD 62 A4 4C 5F 71 Pt1....W.M.b.L_q 9E B9 0A 4B FC 9B E2 A2 39 DE 7D 20 6C 25 C2 3F ...K....9.} l%.? C1 CA FE 1D 5B 6F CE D5 63 E2 12 63 0C F8 2F 92 ....[o..c..c../. 72 A3 F9 88 74 5A E3 AA D2 92 CB FE 00 39 00 14 r...tZ.......9.. 03 01 00 01 01 16 03 01 00 30 74 05 1B A4 A5 CC .........0t..... E9 17 8A 4A B8 94 EE CC 82 28 90 07 16 44 B7 FE ...J.....(...D.. 3C F0 72 48 48 89 AE EB D4 1A E0 C5 E5 2F F1 CE <.rHH......../.. BD F2 72 56 41 8E D1 94 CA E4 ..rVA..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/16/05-12:46:04.485627 x.x.x.x:x -> x.x.x.x:x TCP TTL:61 TOS:0x0 ID:8157 IpLen:20 DgmLen:190 DF ***AP*** Seq: 0x3A06EAD7 Ack: 0x1C79621 Win: 0x16A0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 289010955 350830403 16 03 01 00 4A 02 00 00 46 03 01 43 2A 3F FC 5A ....J...F..C*?.Z 50 74 31 9F 8D F3 8F 57 9E 4D DD 62 A4 4C 5F 71 Pt1....W.M.b.L_q 9E B9 0A 4B FC 9B E2 A2 39 DE 7D 20 6C 25 C2 3F ...K....9.} l%.? C1 CA FE 1D 5B 6F CE D5 63 E2 12 63 0C F8 2F 92 ....[o..c..c../. 72 A3 F9 88 74 5A E3 AA D2 92 CB FE 00 39 00 14 r...tZ.......9.. 03 01 00 01 01 16 03 01 00 30 74 05 1B A4 A5 CC .........0t..... E9 17 8A 4A B8 94 EE CC 82 28 90 07 16 44 B7 FE ...J.....(...D.. 3C F0 72 48 48 89 AE EB D4 1A E0 C5 E5 2F F1 CE <.rHH......../.. BD F2 72 56 41 8E D1 94 CA E4 ..rVA..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Double logging in alert_fast Zultan (Sep 15)