Snort mailing list archives
Re: Some alerts not logging packet data
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 23 Nov 2011 15:44:56 -0700
So yea..guess I needed to clarify that ;) Just like it says.most of my alerts on a system I manage come in just fine.however, some do notI get the alert in the alert file, but nothing in the unified or tcpdump file. I see the entry like below in the unified file, but no packet data. Could this be a library problem or something like that? Any one have any hints on where to start? Thank you. James From: James Lay <jlay () slave-tothe-box net> Date: Sat, 19 Nov 2011 08:35:38 -0700 To: Snort <snort-users () lists sourceforge net> Subject: [Snort-users] Some packets logging packet data Topic says it.it's very odd:
From alert.fast:
11/18-17:30:16.073705 [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers [**] [Classification: Sensitive Data was Transmitted Across the Network] [Priority: 2] {TCP} 10.0.0.6:58570 -> <snip>:25
From the unified2 file:
(Event) sensor id: 0 event id: 1083 event second: 1321662616 event microsecond: 73705 sig id: 2 gen id: 138 revision: 1 classification: 35 priority: 2 ip source: 10.0.0.6 ip destination: <snip> src port: 58570 dest port: 25 protocol: 6 impact_flag: 0 blocked: 0 There is no data in the tcpdump file. Another example:
From the alert.fastinterestingly this entry appears in between an entry
with timestamps of 17:30:28 and 17:36:08: 11/18-16:09:37.800061 [**] [1:13864:5] POLICY Microsoft Watson error reporting attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.0.164:62377 -> <snip>:80
From the unified2 file:
(Event) sensor id: 0 event id: 1085 event second: 1321657777 event microsecond: 800061 sig id: 13864 gen id: 1 revision: 5 classification: 33 priority: 1 ip source: 10.0.0.164 ip destination: 65.55.53.190 src port: 62377 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 Nothing in the tcpdump file. At first I thought it was a pre_proc issue, but now I'm not sure.both of these events just.have no packet data associated with them. Any thoughts? Thank you. James Relevant snort.conf items: output alert_syslog: LOG_AUTH LOG_ALERT output log_tcpdump: tcpdump.log output alert_fast: snortalert.fast output unified2: filename unified ---------------------------------------------------------------------------- -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d___________________________________________ ____ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Some packets logging packet data James Lay (Nov 19)
- Re: Some alerts not logging packet data James Lay (Nov 23)
- Re: Some alerts not logging packet data James Lay (Nov 30)
- Re: Some alerts not logging packet data James Lay (Nov 23)