Snort mailing list archives

inconsistent unified2 logging behavior observed with attached pcap

From: anantha narasimhan srinivasan <anantha.narasimhan () gmail com>
Date: Thu, 12 Apr 2012 13:23:23 +1200

Hi,

I have already emailed bugs () snort org with this query. While I am
waiting to hear back from the developers,  thought I might get some
useful suggestions/workarounds (if any) from this list.

When the attached pcap [1] is run through SNORT using this [2] command
line,  we observe that the generated alert, for SID 20596 is only
logged to the first unified2 output configured in snort.conf.  Even if
there are multiple log_unified2 configured, the generated alert is
logged only to the first one.  This behavior is reproducible with the
attached pcap on all SNORT releases after 2.9.0.5.  Have used VRT
2.9.1 / 2.9.2 rulesets.  I tried removing the http_* keywords from the
rule (# 20596 botnet-cnc.rules) and that seems to get the alerts
logged to all the configured unified2 output files.

Anyone observed this behavior before, If so, is there any workaround or fix ?

I Have attached the following,
etc/*.conf
rules/*.rules
Snort log
We are compiling SNORT 2.9.2.2 from sources with the following
configure options, and is run on an EL5 machine (2.6.18-194.32.1
kernel, intel64, GCC-443).

        ./configure
        --prefix=%{_prefix} \
        --bindir=%{_sbindir} \
        --sysconfdir=%{_sysconfdir}/snort \
        --without-mysql \
        --without-postgresql \
        --without-oracle \
        --without-odbc \
        --enable-sourcefire

Please let me know if you need any further information.

Thanks

[1] obfuscated_20596.pcap [
http://www.pcapr.net/view/anantha.narasimhan/2012/3/1/23/obfuscated_20596.pcap.html
]
[2] /usr/sbin/snort-plain -r obfuscated.pcap -c
esmagent/data/agent.1/var/snort/policy/etc/snort.conf -l
/tmp/snort/log/  --dynamic-preprocessor-lib-dir
/usr/lib64/snort_dynamicpreprocessor-lib-dir
/usr/lib64/snort_dynamicpreprocessor --dynamic-engine-lib-dir
/usr/lib64/snort_dynamicengine -A none



--
A

Attachment: obfuscated_20596.pcap
Description:

Attachment: snort.log
Description:

Attachment: snort_config.tgz
Description:

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

inconsistent unified2 logging behavior observed with attached pcap anantha narasimhan srinivasan (Apr 11)
- Re: inconsistent unified2 logging behavior observed with attached pcap Joel Esler (Apr 12)