Snort mailing list archives
Re: missing pcaps for alerts
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Thu, 20 Oct 2011 17:40:25 +0000
Hey Joel, I've been noticing this for a while but kept forgetting to get around to looking into it more in depth, I figured it was barnyard2 having an issue, but it does appear to be snorts logging output. If multiple alerts are firing on the same frame, Snort doesn't seem to re-log the frame correctly for multiple alerts: If we have a test set of 3 rules like below: alert tcp any any -> any any (msg:"MZ 1"; file_data; content:"MZ"; within:2; sid:1; rev:1;) alert tcp any any -> any any (msg:"MZ 2"; file_data; content:"MZ"; within:2; sid:2; rev:1;) alert tcp any any -> any any (msg:"MZ 3"; file_data; content:"MZ"; within:2; sid:3; rev:1;) Now we run them against a PCAP of a user downloading an executable file, it alerts 3 times as expected in our fast alert output log. However, in the unified2 log, we have the following at the beginning of the file when we run the u2spewfoo binary against it: ---BEGIN--- (Event) sensor id: 0 event id: 1 event second: 1319130108 event microsecond: 745191 sig id: 3 gen id: 1 revision: 1 classification: 0 priority: 0 ip source: 71.191.147.210 ip destination: 10.181.188.73 src port: 80 dest port: 64916 protocol: 6 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 1 event second: 1319130108 packet second: 1319130108 packet microsecond: 745191 linktype: 1 packet_length: 1514 00 00 5E 00 01 02 00 10 DB FF 26 00 08 00 45 00 ..^.......&...E. 05 DC 28 A0 40 00 38 06 71 EC 47 BF 93 D2 0A B5 ..(.@.8.q.G..... BC 49 00 50 FD 94 2E 8F 54 A2 FC 56 2E AC 50 10 .I.P....T..V..P. 00 6C C1 9A 00 00 48 54 54 50 2F 31 2E 31 20 32 .l....HTTP/1.1 2 30 30 20 4F 4B 0D 0A 44 61 74 65 3A 20 54 68 75 00 OK..Date: Thu 2C 20 32 30 20 4F 63 74 20 32 30 31 31 20 31 37 , 20 Oct 2011 17 3A 31 34 3A 30 39 20 47 4D 54 0D 0A 53 65 72 76 :14:09 GMT..Serv 65 72 3A 20 41 70 61 63 68 65 2F 32 2E 32 2E 31 er: Apache/2.2.1 34 20 28 55 62 75 6E 74 75 29 0D 0A 4C 61 73 74 4 (Ubuntu)..Last 2D 4D 6F 64 69 66 69 65 64 3A 20 54 68 75 2C 20 -Modified: Thu, 31 38 20 41 75 67 20 32 30 31 31 20 30 30 3A 34 18 Aug 2011 00:4 32 3A 31 33 20 47 4D 54 0D 0A 45 54 61 67 3A 20 2:13 GMT..ETag: 22 31 38 36 36 30 33 2D 34 30 65 30 30 2D 34 61 "186603-40e00-4a 61 62 63 65 32 34 37 30 32 37 66 22 0D 0A 41 63 abce247027f"..Ac 63 65 70 74 2D 52 61 6E 67 65 73 3A 20 62 79 74 cept-Ranges: byt 65 73 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 es..Content-Leng 74 68 3A 20 32 36 35 37 32 38 0D 0A 4B 65 65 70 th: 265728..Keep 2D 41 6C 69 76 65 3A 20 74 69 6D 65 6F 75 74 3D -Alive: timeout= 31 35 2C 20 6D 61 78 3D 31 30 30 0D 0A 43 6F 6E 15, max=100..Con 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C nection: Keep-Al 69 76 65 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 ive..Content-Typ 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 e: application/x 2D 6D 73 64 6F 73 2D 70 72 6F 67 72 61 6D 0D 0A -msdos-program.. 0D 0A 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF ..MZ............ 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 ..........@..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 ................ 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 ..........!..L.! 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E This program can 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F not be run in DO 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 S mode....$..... ---SNIP--- After this alert and packet, there are 11 more subsequent packets logged. However, the other two events have NO packets with them as we can see below from the end of the output: ---SNIP--- E0 8B 00 85 C0 74 02 FF D0 83 45 E0 04 EB E6 C7 .....t....E..... 45 FC FE FF FF FF E8 20 00 00 E...... .. (Event) sensor id: 0 event id: 2 event second: 1319130108 event microsecond: 745191 sig id: 2 gen id: 1 revision: 1 classification: 0 priority: 0 ip source: 71.191.147.210 ip destination: 10.181.188.73 src port: 80 dest port: 64916 protocol: 6 impact_flag: 0 blocked: 0 (Event) sensor id: 0 event id: 3 event second: 1319130108 event microsecond: 745191 sig id: 1 gen id: 1 revision: 1 classification: 0 priority: 0 ip source: 71.191.147.210 ip destination: 10.181.188.73 src port: 80 dest port: 64916 protocol: 6 impact_flag: 0 blocked: 0 ---END--- -- Eoin ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 18)
- Re: missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 19)
- Re: missing pcaps for alerts John Ives (Oct 19)
- Re: missing pcaps for alerts John Ives (Oct 18)
- Re: missing pcaps for alerts Joel Esler (Oct 18)
- Re: missing pcaps for alerts Eoin Miller (Oct 20)
- Re: missing pcaps for alerts Joel Esler (Oct 20)
- Re: missing pcaps for alerts John Ives (Oct 25)
- Re: missing pcaps for alerts Joel Esler (Oct 25)
- Re: missing pcaps for alerts Joel Esler (Oct 20)