Re: snort is logging alerts but not capturing corresponding packets for some rules

["Kumar, Mahendra" <mkumar () intacct com>]

Hi Joel,
Can I capture packets in tcpdump mode in snort.log and simultaneously in unified format in some other file? If yes, how 
can I do that so that I can compare and see if the packets missing from snort.log (tcpdump) are in fact logged in 
unified format.
Thanks

From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Tuesday, April 26, 2011 10:49 AM
To: Agustin Roca
Cc: snort-users () lists sourceforge net; Jason Brvenik
Subject: Re: [Snort-users] snort is logging alerts but not capturing corresponding packets for some rules

-A cmg on the command line as the alert method.
On Tue, Apr 26, 2011 at 1:48 PM, Agustin Roca <agustin.roca () globant com<mailto:agustin.roca () globant com>> wrote:
Nice explanation Joel. Which snort flag/option can i use to see the Stream reassembled packet info?

2011/4/26 Joel Esler <jesler () sourcefire com<mailto:jesler () sourcefire com>>
Actually, Jason is right.  The alert is generated on the pseudo packet, this is correct functionality, so I've closed 
the bug.

So, James, using the pcap you gave me, I'll get rid of the IPs in the cut and paste here, but I'll make BOLD the line 
that indicates that the alert is actually on the pseudo packet, and not the individual packet.

snort -c snort.conf -r missed.pcap -A cmg -q

04/26-10:37:43.307954  [**] [1:12280:3] WEB-CLIENT Microsoft Internet Explorer VML source file memory corruption 
attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} x.x.x.x:80 -> x.x.x.x:31390
Stream reassembled packet

Above, where is says "Stream reassembled packet" is your indication that the alert was not in fact on one packet, but 
on the reassembly of the packets.  We call this the pseudo packet.

If you output from Snort in Unified format, you have access to these packets.

J


On Tue, Apr 26, 2011 at 1:09 PM, Lay, James <james.lay () wincofoods com<mailto:james.lay () wincofoods com>> wrote:
Thanks for the response Jason...I ended up working with Joel on this and he has put in a bug fix.  Thanks again.

James

From: Jason Brvenik [mailto:jbrvenik () sourcefire com<mailto:jbrvenik () sourcefire com>]
Sent: Monday, April 25, 2011 5:14 PM
To: Lay, James; Kumar, Mahendra
Subject: Re: [Snort-users] snort is logging alerts but not capturing corresponding packets for some rules


I would suspect that the event fires on pseudo packets, reassembled or normalized traffic. Can you enable unified2 and 
see if it is also missing there.
On Apr 25, 2011 6:58 PM, "Lay, James" <james.lay () wincofoods com<mailto:james.lay () wincofoods com>> wrote:
> From: Kumar, Mahendra [mailto:mkumar () intacct com<mailto:mkumar () intacct com>]
> Sent: Monday, April 25, 2011 3:50 PM
> To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
> Subject: [Snort-users] snort is logging alerts but not capturing
> corresponding packets for some rules
>
>
>
> Hi,
>
>
>
> I am using snort-2.9.0.5 with daq-0.5-9 and libpcap1-1.1.1-9 on Centos
> 5.5 (x86_64). I am not using any other thing like unified2, base,
> barnyard, mysql etc.
>
> My snort is working properly and I am getting alerts and packet captures
> in snort.log in tcpdump format.
>
> But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged but
> there is no packet capture in snort.log and it is very consistent
> behavior, i.e. I will never get packet captures for some of the rules
> but will always get alert so it is not a packet drop problem. It seems
> to be a config issue where the alert is logged but no packet captures.
>
> Please help me resolve this issue.
>
>
>
> Thanks,
>
> MK
>
>
>
>
>
>
>
>
>
> Welcome to my world...I've submitted this exact same item a few
> times....seems to be a mystery. I have snort boxes in a few different
> sites on a few different OS's....same thing though...I get the alert in
> the .fast file, but certain things just do not log to the pcap. I've
> had to work around this with full web traffic packet captures. The
> machines aren't even close to maxing CPU or memory, but the problem
> still persists. If anyone has some advice I'd love to hear it.
>
>
>
> James


------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today.  Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Agustin Roca
Information Security Team
agustin.roca () globant com<mailto:agustin.roca () globant com>
work: 54+(011) 4109.1700 ext. 8098
cel: 54+(011)15-5022-3042

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users