Re: Some alerts not logging packet data

[James Lay <jlay () slave-tothe-box net>]

So yeaŠ..guess I needed to clarify that ;)

Just like it saysŠ.most of my alerts on a system I manage come in just
fineŠ.however, some do notŠI get the alert in the alert file, but nothing in
the unified or tcpdump file.  I see the entry like below in the unified
file, but no packet data.  Could this be a library problem or something like
that?  Any one have any hints on where to start?  Thank you.

James

From:  James Lay <jlay () slave-tothe-box net>
Date:  Sat, 19 Nov 2011 08:35:38 -0700
To:  Snort <snort-users () lists sourceforge net>
Subject:  [Snort-users] Some packets logging packet data

Topic says itŠ.it's very odd:

> From alert.fast:
11/18-17:30:16.073705  [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers
[**] [Classification: Sensitive Data was Transmitted Across the Network]
[Priority: 2] {TCP} 10.0.0.6:58570 -> <snip>:25

> From the unified2 file:
(Event)
        sensor id: 0    event id: 1083  event second: 1321662616
event microsecond: 73705
        sig id: 2       gen id: 138     revision: 1      classification: 35
        priority: 2     ip source: 10.0.0.6     ip destination: <snip>
        src port: 58570 dest port: 25   protocol: 6     impact_flag: 0
blocked: 0

There is no data in the tcpdump file.

Another example:
> From the alert.fastŠinterestingly this entry appears in between an entry
with timestamps of 17:30:28 and 17:36:08:
11/18-16:09:37.800061  [**] [1:13864:5] POLICY Microsoft Watson error
reporting attempt [**] [Classification: Potential Corporate Privacy
Violation] [Priority: 1] {TCP} 10.0.0.164:62377 -> <snip>:80

> From the unified2 file:
(Event)
        sensor id: 0    event id: 1085  event second: 1321657777
event microsecond: 800061
        sig id: 13864   gen id: 1       revision: 5      classification: 33
        priority: 1     ip source: 10.0.0.164   ip destination: 65.55.53.190
        src port: 62377 dest port: 80   protocol: 6     impact_flag: 0
blocked: 0

Nothing in the tcpdump file.

At first I thought it was a pre_proc issue, but now I'm not sureŠ.both of
these events justŠ.have no packet data associated with them.  Any thoughts?
Thank you.

James
















Relevant snort.conf items:

output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: tcpdump.log
output alert_fast: snortalert.fast
output unified2: filename unified


----------------------------------------------------------------------------
-- All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security threats,
fraudulent activity, and more. Splunk takes this data and makes sense of it.
IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d___________________________________________
____ Snort-users mailing list Snort-users () lists sourceforge net Go to this
URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list
archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please
visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!