Snort mailing list archives
Re: missing pcaps for alerts
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Thu, 20 Oct 2011 17:40:25 +0000
Hey Joel,
I've been noticing this for a while but kept forgetting to get around
to looking into it more in depth, I figured it was barnyard2 having an
issue, but it does appear to be snorts logging output. If multiple
alerts are firing on the same frame, Snort doesn't seem to re-log the
frame correctly for multiple alerts:
If we have a test set of 3 rules like below:
alert tcp any any -> any any (msg:"MZ 1"; file_data; content:"MZ";
within:2; sid:1; rev:1;)
alert tcp any any -> any any (msg:"MZ 2"; file_data; content:"MZ";
within:2; sid:2; rev:1;)
alert tcp any any -> any any (msg:"MZ 3"; file_data; content:"MZ";
within:2; sid:3; rev:1;)
Now we run them against a PCAP of a user downloading an executable
file, it alerts 3 times as expected in our fast alert output log.
However, in the unified2 log, we have the following at the beginning
of the file when we run the u2spewfoo binary against it:
---BEGIN---
(Event)
sensor id: 0 event id: 1 event second: 1319130108 event
microsecond: 745191
sig id: 3 gen id: 1 revision: 1 classification: 0
priority: 0 ip source: 71.191.147.210 ip destination:
10.181.188.73
src port: 80 dest port: 64916 protocol: 6 impact_flag: 0
blocked: 0
Packet
sensor id: 0 event id: 1 event second: 1319130108
packet second: 1319130108 packet microsecond: 745191
linktype: 1 packet_length: 1514
00 00 5E 00 01 02 00 10 DB FF 26 00 08 00 45 00 ..^.......&...E.
05 DC 28 A0 40 00 38 06 71 EC 47 BF 93 D2 0A B5 ..(.@.8.q.G.....
BC 49 00 50 FD 94 2E 8F 54 A2 FC 56 2E AC 50 10 .I.P....T..V..P.
00 6C C1 9A 00 00 48 54 54 50 2F 31 2E 31 20 32 .l....HTTP/1.1 2
30 30 20 4F 4B 0D 0A 44 61 74 65 3A 20 54 68 75 00 OK..Date: Thu
2C 20 32 30 20 4F 63 74 20 32 30 31 31 20 31 37 , 20 Oct 2011 17
3A 31 34 3A 30 39 20 47 4D 54 0D 0A 53 65 72 76 :14:09 GMT..Serv
65 72 3A 20 41 70 61 63 68 65 2F 32 2E 32 2E 31 er: Apache/2.2.1
34 20 28 55 62 75 6E 74 75 29 0D 0A 4C 61 73 74 4 (Ubuntu)..Last
2D 4D 6F 64 69 66 69 65 64 3A 20 54 68 75 2C 20 -Modified: Thu,
31 38 20 41 75 67 20 32 30 31 31 20 30 30 3A 34 18 Aug 2011 00:4
32 3A 31 33 20 47 4D 54 0D 0A 45 54 61 67 3A 20 2:13 GMT..ETag:
22 31 38 36 36 30 33 2D 34 30 65 30 30 2D 34 61 "186603-40e00-4a
61 62 63 65 32 34 37 30 32 37 66 22 0D 0A 41 63 abce247027f"..Ac
63 65 70 74 2D 52 61 6E 67 65 73 3A 20 62 79 74 cept-Ranges: byt
65 73 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 es..Content-Leng
74 68 3A 20 32 36 35 37 32 38 0D 0A 4B 65 65 70 th: 265728..Keep
2D 41 6C 69 76 65 3A 20 74 69 6D 65 6F 75 74 3D -Alive: timeout=
31 35 2C 20 6D 61 78 3D 31 30 30 0D 0A 43 6F 6E 15, max=100..Con
6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C nection: Keep-Al
69 76 65 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 ive..Content-Typ
65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 e: application/x
2D 6D 73 64 6F 73 2D 70 72 6F 67 72 61 6D 0D 0A -msdos-program..
0D 0A 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF ..MZ............
00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 ..........@.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 ................
00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 ..........!..L.!
54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E This program can
6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F not be run in DO
53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 S mode....$.....
---SNIP---
After this alert and packet, there are 11 more subsequent packets
logged. However, the other two events have NO packets with them as we
can see below from the end of the output:
---SNIP---
E0 8B 00 85 C0 74 02 FF D0 83 45 E0 04 EB E6 C7 .....t....E.....
45 FC FE FF FF FF E8 20 00 00 E...... ..
(Event)
sensor id: 0 event id: 2 event second: 1319130108 event
microsecond: 745191
sig id: 2 gen id: 1 revision: 1 classification: 0
priority: 0 ip source: 71.191.147.210 ip destination:
10.181.188.73
src port: 80 dest port: 64916 protocol: 6 impact_flag: 0
blocked: 0
(Event)
sensor id: 0 event id: 3 event second: 1319130108 event
microsecond: 745191
sig id: 1 gen id: 1 revision: 1 classification: 0
priority: 0 ip source: 71.191.147.210 ip destination:
10.181.188.73
src port: 80 dest port: 64916 protocol: 6 impact_flag: 0
blocked: 0
---END---
-- Eoin
------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 18)
- Re: missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 19)
- Re: missing pcaps for alerts John Ives (Oct 19)
- Re: missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 18)
- Re: missing pcaps for alerts Eoin Miller (Oct 20)
- Re: missing pcaps for alerts Joel Esler (Oct 20)
- Re: missing pcaps for alerts John Ives (Oct 25)
- Re: missing pcaps for alerts Joel Esler (Oct 25)
- Re: missing pcaps for alerts Joel Esler (Oct 20)