Snort mailing list archives
Re: log_unified: no IP data for some events
From: Tomás Heredia <tomas.heredia () activesec biz>
Date: Fri, 05 Jun 2009 18:41:15 -0300
And even some more data: This is the barnyard's log_dump about some of the events: ----------- [**] [1:3656:4] SMTP MAIL overflow attempt [**] [Classification: Attempted Information Leak] [Priority: 1] [Xref => http://www.securityfocus.com/bid/11238] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-1546] Event ID: 72 Event Reference: 72 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ------------------- As you can see, there is no IP data. But other rules work OK: --------------- [**] [1:2418:4] MISC MS Terminal Server no encryption session initiation attempt [**] [Classification: Unknown Traffic] [Priority: 2] [Xref => http://www.microsoft.com/technet/security/bulletin/MS01-052.mspx] Event ID: 119 Event Reference: 119 05/30/09-23:32:22.761966 10.1.1.2:1052 -> 10.0.1.7:3389 TCP TTL:127 TOS:0x0 ID:433 IpLen:20 DgmLen:468 DF ***AP*** Seq: 0x2C734146 Ack: 0x6E9A1945 Win: 0xFFEC TcpLen: 20 03 00 01 AC 02 F0 80 7F 65 82 01 A0 04 01 01 04 ........e....... ... 63 6C 69 70 72 64 72 00 00 00 A0 C0 cliprdr..... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ----------------------------- Best regards, Tomas Tomás Heredia escribió:
I've been looking a litle in that host, and I found Barnyard is having this errors: Unknown Network header (0x1FAC)... Unknown Network header (0x1FAC)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0x20A)... Unknown Network header (0x20A)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... I havn't found anything about them. Best regards Tomás Tomás Heredia escribió:For example: mysql> select max(event.cid), sig_sid, sig_name, count(event.cid) from event left join iphdr on (event.sid = iphdr.sid and event.cid = iphdr.cid) inner join signature on (signature.sig_id = event.signature) where ip_src is null group by sig_id; +----------------+---------+--------------------------------------------------------------+------------------+ | max(event.cid) | sig_sid | sig_name | count(event.cid) | +----------------+---------+--------------------------------------------------------------+------------------+ | 3685058 | 1 | tag: Tagged Packet | 221711 | ... | 1970797 | 1079 | WEB-MISC WebDAV propfind access | 2 | sig_sid=1 is no problem. sid 1079 is one of the offending ones (happens both for standard as for binary rules) Cheers! Joel Esler escribió:Can you provide a link to a screenshot? Sent from my iPhone On Jun 5, 2009, at 3:30 PM, Tomás Heredia <tomas.heredia () activesec biz> wrote:Hi all, I’m using Barnyard (0.2) to send snort 2.8.0 inline (I know, I indeed want to upgrade) log_unified data to an acid_db. Sometimes, and for some rules (not much in common among them), iphdr data is not recorded in the database (once it starts missing iphdr data for a rule, it keeps missing it for newer events). Other rules keep reporting OK. Other tools (like using snort-unified-perl) doesn’t show iphdr data in the unified log neither. It’s quite anoying, specially when the involved rules are dropping packets. Is this a known problem? Does anyone know if it was resolved in a newer release? Best regards, Tomás ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users # " This e-mail and any attached documents may contain confidential or proprietary information. If you are not the intended recipient, please advise the sender immediately and delete this e-mail and all attached documents from your computer system. Any unauthorised disclosure, distribution or copying hereof is prohibited." " Ce courriel et les documents qui y sont attaches peuvent contenir des informations confidentielles. Si vous n'etes pas le destinataire escompte, merci d'en informer l'expediteur immediatement et de detruire ce courriel ainsi que tous les documents attaches de votre systeme informatique. Toute divulgation, distribution ou copie du present courriel et des documents attaches sans autorisation prealable de son emetteur est interdite." #
------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Joel Esler (Jun 05)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 07)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Joel Esler (Jun 05)