Snort mailing list archives

Re: [barnyard2-users] Re: Fwd: Missing packets with by2

From: beenph <beenph () gmail com>
Date: Tue, 24 Jul 2012 22:20:30 -0400

Greetings Jim,

your hitting a soft limit.

In spooler.c there is a defined CACHED_EVENTS_MAX (at the top of the
file). (old branch and new branch)

And event 23588happen to be the 64'th cached element, once its logged,
the cache get cleaned and
when the next packet is read, well the element is not in cache and its
unfortunaly not "correlated" correctly.

You can up CACHED_EVENT_MAX to something like 256 or 512 without mutch
of an issue.

On an other note, Do you have alot of signature like sig_id 9100612
with revision 0 classificaion 0 and priority 0?

If so, you might want to give them a revision else you might run into
issue with the more up to date branch.

Also note that there seem's to be alot of lonely packets in the anon
file you sent me (packets without event the file start with a bunch of
em),
are you logging complete streams [ just curious], because you might be
missing alot of info logged as of now especially if the stream span
over multiple unified2 file.

Anyhow, do not be shy to post back on by2 ml's for by2 issue :)

Let me know if we can fix some stuff up.

In the meantime i think the fix will get you over this issue.

Cheers,
-elz





On Tue, Jul 24, 2012 at 4:54 PM, Jim Hranicky <jfh () ufl edu> wrote:

On 07/24/2012 04:46 PM, beenph wrote:

Does it just put the extra packets in the db with a new (sid, cid) ?


Well the other packet should have the same sid,gid the same sensor_id
and a different cid for sure since its a different
event.


Hmmm, well, I think I'm talking about 1 event with multiple
packets. I left out that info when I sent in my first message,
here's the anonymized u2spewfoo output:

(Event)
        sensor id: 0    event id: 23588 event second: 1343028031        event microsecond: 188835
        sig id: 9100623 gen id: 1       revision: 8      classification: 3
        priority: 2     ip source: 127.0.0.1    ip destination: 127.0.0.1
        src port: 34921 dest port: 80   protocol: 6     impact_flag: 0  blocked: 0

Packet
        sensor id: 0    event id: 23588 event second: 1343028031
        packet second: 1343028031       packet microsecond: 188835
        linktype: 1     packet_length: 262
[    0] AA AA AA AA AA AA BB BB BB BB BB BB 08 00 45 00  ..............E.
[   16] 00 F8 CC 35 40 00 3D 06 72 C8 7F 00 00 01 7F 00  ...5@.=.r.......
[   32] 00 01 88 69 00 50 B2 E7 DA 1F 10 CF 1E C7 80 18  ...i.P..........
[   48] 00 2E 45 02 00 00 01 01 08 0A 00 F7 16 3C E3 27  ..E..........<.'
[   64] F3 0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   80] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   96] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[  112] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[  128] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[  144] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[  160] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[  176] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[  192] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[  208] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[  224] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[  240] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[  256] 00 00 00 00 00 00                                ......

Packet
        sensor id: 0    event id: 23588 event second: 1343028031
        packet second: 1343028031       packet microsecond: 202846
        linktype: 1     packet_length: 146
[    0] AA AA AA AA AA AA BB BB BB BB BB BB 08 00 45 00  ..............E.
[   16] 00 84 CC 36 40 00 3D 06 73 3B 7F 00 00 01 7F 00  ...6@.=.s;......
[   32] 00 01 88 69 00 50 B2 E7 DA E3 10 CF 1E C7 80 18  ...i.P..........
[   48] 00 2E 44 96 00 00 01 01 08 0A 00 F7 16 4A E3 27  ..D..........J.'
[   64] F3 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   80] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   96] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[  112] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[  128] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[  144] 00 00                                            ..

Jim


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Fwd: Missing packets with by2, (continued)
- - Message not available
    - Fwd: Missing packets with by2 beenph (Jul 23)
    - Re: Fwd: Missing packets with by2 Jim Hranicky (Jul 23)
    - Re: Fwd: Missing packets with by2 beenph (Jul 23)
    - Re: Fwd: Missing packets with by2 Jim Hranicky (Jul 24)
    - Re: Fwd: Missing packets with by2 beenph (Jul 24)
    - Re: Fwd: Missing packets with by2 Jim Hranicky (Jul 24)
    - Re: [barnyard2-users] Re: Fwd: Missing packets with by2 beenph (Jul 24)
    - Re: [barnyard2-users] Re: Fwd: Missing packets with by2 Jim Hranicky (Jul 24)
    - Re: [barnyard2-users] Re: Fwd: Missing packets with by2 beenph (Jul 24)
    - Re: [barnyard2-users] Re: Fwd: Missing packets with by2 Jim Hranicky (Jul 24)
    - Re: [barnyard2-users] Re: Fwd: Missing packets with by2 beenph (Jul 24)