Snort mailing list archives
Re: [barnyard2-users] Re: Fwd: Missing packets with by2
From: beenph <beenph () gmail com>
Date: Tue, 24 Jul 2012 22:20:30 -0400
Greetings Jim, your hitting a soft limit. In spooler.c there is a defined CACHED_EVENTS_MAX (at the top of the file). (old branch and new branch) And event 23588happen to be the 64'th cached element, once its logged, the cache get cleaned and when the next packet is read, well the element is not in cache and its unfortunaly not "correlated" correctly. You can up CACHED_EVENT_MAX to something like 256 or 512 without mutch of an issue. On an other note, Do you have alot of signature like sig_id 9100612 with revision 0 classificaion 0 and priority 0? If so, you might want to give them a revision else you might run into issue with the more up to date branch. Also note that there seem's to be alot of lonely packets in the anon file you sent me (packets without event the file start with a bunch of em), are you logging complete streams [ just curious], because you might be missing alot of info logged as of now especially if the stream span over multiple unified2 file. Anyhow, do not be shy to post back on by2 ml's for by2 issue :) Let me know if we can fix some stuff up. In the meantime i think the fix will get you over this issue. Cheers, -elz On Tue, Jul 24, 2012 at 4:54 PM, Jim Hranicky <jfh () ufl edu> wrote:
On 07/24/2012 04:46 PM, beenph wrote:Does it just put the extra packets in the db with a new (sid, cid) ?Well the other packet should have the same sid,gid the same sensor_id and a different cid for sure since its a different event.Hmmm, well, I think I'm talking about 1 event with multiple packets. I left out that info when I sent in my first message, here's the anonymized u2spewfoo output: (Event) sensor id: 0 event id: 23588 event second: 1343028031 event microsecond: 188835 sig id: 9100623 gen id: 1 revision: 8 classification: 3 priority: 2 ip source: 127.0.0.1 ip destination: 127.0.0.1 src port: 34921 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 23588 event second: 1343028031 packet second: 1343028031 packet microsecond: 188835 linktype: 1 packet_length: 262 [ 0] AA AA AA AA AA AA BB BB BB BB BB BB 08 00 45 00 ..............E. [ 16] 00 F8 CC 35 40 00 3D 06 72 C8 7F 00 00 01 7F 00 ...5@.=.r....... [ 32] 00 01 88 69 00 50 B2 E7 DA 1F 10 CF 1E C7 80 18 ...i.P.......... [ 48] 00 2E 45 02 00 00 01 01 08 0A 00 F7 16 3C E3 27 ..E..........<.' [ 64] F3 0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 80] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 96] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 112] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 128] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 144] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 160] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 176] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 192] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 208] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 224] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 240] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 256] 00 00 00 00 00 00 ...... Packet sensor id: 0 event id: 23588 event second: 1343028031 packet second: 1343028031 packet microsecond: 202846 linktype: 1 packet_length: 146 [ 0] AA AA AA AA AA AA BB BB BB BB BB BB 08 00 45 00 ..............E. [ 16] 00 84 CC 36 40 00 3D 06 73 3B 7F 00 00 01 7F 00 ...6@.=.s;...... [ 32] 00 01 88 69 00 50 B2 E7 DA E3 10 CF 1E C7 80 18 ...i.P.......... [ 48] 00 2E 44 96 00 00 01 01 08 0A 00 F7 16 4A E3 27 ..D..........J.' [ 64] F3 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 80] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 96] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 112] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 128] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 144] 00 00 .. Jim
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fwd: Missing packets with by2, (continued)
- Message not available
- Fwd: Missing packets with by2 beenph (Jul 23)
- Re: Fwd: Missing packets with by2 Jim Hranicky (Jul 23)
- Re: Fwd: Missing packets with by2 beenph (Jul 23)
- Re: Fwd: Missing packets with by2 Jim Hranicky (Jul 24)
- Re: Fwd: Missing packets with by2 beenph (Jul 24)
- Re: Fwd: Missing packets with by2 Jim Hranicky (Jul 24)
- Re: [barnyard2-users] Re: Fwd: Missing packets with by2 beenph (Jul 24)
- Re: [barnyard2-users] Re: Fwd: Missing packets with by2 Jim Hranicky (Jul 24)
- Re: [barnyard2-users] Re: Fwd: Missing packets with by2 beenph (Jul 24)
- Re: [barnyard2-users] Re: Fwd: Missing packets with by2 Jim Hranicky (Jul 24)
- Re: [barnyard2-users] Re: Fwd: Missing packets with by2 beenph (Jul 24)
- Message not available