Snort mailing list archives
Re: barnyard2-1.10 major problem
From: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Date: Wed, 24 Oct 2012 12:03:17 -0400
Here is our reponse to Firnsy:----- Original Message ----- From: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
To: "firnsy" <firnsy () securixlive com> Cc: "safwat fahmy" <safwat.fahmy () safemedia com> Sent: Monday, October 22, 2012 12:08 PM Subject: Re: barnyard2-1.10 build 310
Hi Firnsy, Not sure what you wanted me to do with u2_anon (packaged as a windows zip w/src code) Can't compile windows srource code. We made the change you suggested (Increase CACHED_EVENTS_MAX ) This did not help!!I am attaching the org. snort unified2 file and you will see one event with2 packets, however by2 only inserted the first packet and this happened after we modified by2 as you suggested. Thanks, LarryOn Fri, Oct 19, 2012 at 6:45 PM, firnsy <firnsy () securixlive com> wrote:> Mate, Hum how large is your unified2 file? i think what happening is that you are hitting cache maximum. In src/spooler.c change line 44 #define CACHED_EVENTS_MAX 256 and set it to 1024 or even 2048. I am under the impression that what is happening is that the packet you are mentionning is hitting the cache limit and when the cache get recycled, your packet is logged since its hitting an orphan event. If that dosen't work i would appreciate if you can use u2_anon -> https://github.com/binf/u2_anon And send us your unified2 file. But for the record change that have been done in the database output plugin shouldn't affect how stream packets get logged. Let us know how it goes. -elz-------- Forwarded Message --------From: Lawrence R. Hughes, Sr. <lhughes () safemedia com> To: firnsy <firnsy () securixlive com> Cc: safwat fahmy <safwat.fahmy () safemedia com> Subject: Re: barnyard2-1.10 build 310 Date: Fri, 19 Oct 2012 14:12:39 -0400 We are still having a problem with barnyard2-1.10 inserting the packets into mysql: Here is an event from snorts unified2 logfile decoded with u2spewfoo: (Event) sensor id: 0 event id: 13 event second: 1350640282 event microsecond: 285798sig id: 2007728 gen id: 1 revision: 7 classification:21priority: 1 ip source: 209.243.55.105 ip destination: 178.77.103.54 src port: 26343 dest port: 8080 protocol: 6 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 13 event second: 1350640282 packet second: 1350640282 packet microsecond: 285798 linktype: 1 packet_length: 371 [ 0] 00 00 0C 07 AC 00 00 0E 84 EB 44 80 08 00 45 00 ..........D...E. [ 16] 01 65 73 44 40 00 40 06 A3 6E D1 F3 37 69 B2 4D .esD@.@..n..7i.M [ 32] 67 36 66 E7 1F 90 55 CF 83 69 F0 57 AF 89 50 18 g6f...U..i.W..P. [ 48] 01 02 8D 8E 00 00 50 4F 53 54 20 2F 69 6E 64 65 ......POST /inde [ 64] 78 2E 70 68 70 20 48 54 54 50 2F 31 2E 31 0D 0A x.php HTTP/1.1.. [ 80] 48 6F 73 74 3A 20 31 37 38 2E 37 37 2E 31 30 33 Host: 178.77.103 [ 96] 2E 35 34 3A 38 30 38 30 3A 38 30 0D 0A 55 73 65 .54:8080:80..Use [ 112] 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 r-Agent: Mozilla [ 128] 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 /4.0 (compatible [ 144] 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64; MSIE 6.0; Wind [ 160] 6F 77 73 20 4E 54 20 36 2E 31 3B 20 53 56 31 3Bows NT 6.1; SV1;[ 176] 20 2E 4E 45 54 20 43 4C 52 20 31 2E 31 2E 34 37 .NET CLR 1.1.47 [ 192] 37 37 29 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 77)..Accept: */* [ 208] 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 ..Accept-Languag [ 224] 65 3A 20 65 6E 2D 67 62 0D 0A 41 63 63 65 70 74 e: en-gb..Accept [ 240] 2D 45 6E 63 6F 64 69 6E 67 3A 20 64 65 66 6C 61 -Encoding: defla [ 256] 74 65 0D 0A 43 61 63 68 65 2D 43 6F 6E 74 72 6F te..Cache-Contro [ 272] 6C 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 43 6F 6E l: no-cache..Con [ 288] 74 65 6E 74 2D 54 79 70 65 3A 20 6D 75 6C 74 69 tent-Type: multi [ 304] 70 61 72 74 2F 66 6F 72 6D 2D 64 61 74 61 3B 20 part/form-data; [ 320] 62 6F 75 6E 64 61 72 79 3D 31 42 45 46 30 41 35 boundary=1BEF0A5 [ 336] 37 42 45 31 31 30 46 44 34 36 37 41 0D 0A 43 6F 7BE110FD467A..Co [ 352] 6E 7465 6E 74 2D 4C 65 6E 67 74 68 3A 20 38 35 ntent-Length: 85[ 368] 31 0D 0A 1.. Packet sensor id: 0 event id: 13 event second: 1350640282 packet second: 1350640282 packet microsecond: 402773 linktype: 1 packet_length: 907 [ 0] 00 00 0C 07 AC 00 00 0E 84 EB 44 80 08 00 45 00 ..........D...E. [ 16] 03 7D 73 45 40 00 40 06 A1 55 D1 F3 37 69 B2 4D .}sE@.@..U..7i.M [ 32] 67 36 66 E7 1F 90 55 CF 84 A6 F0 57 AF 89 50 18 g6f...U....W..P. [ 48] 01 02 DA BE 00 00 0D 0A 2D 2D 31 42 45 46 30 41 ........--1BEF0A [ 64] 35 37 42 45 31 31 30 46 44 34 36 37 41 0D 0A 43 57BE110FD467A..C [ 80] 6F 6E 74 65 6E 74 2D 44 69 73 70 6F 73 69 74 69 ontent-Dispositi [ 96] 6F 6E 3A 20 66 6F 72 6D 2D 64 61 74 61 3B 20 6E on: form-data; n [ 112] 61 6D 65 3D 22 73 69 64 22 0D 0A 0D 0A 35 35 36 ame="sid"....556 [ 128] 31 31 33 35 35 31 31 34 32 31 32 36 35 0D 0A 2D 1135511421265..- [ 144] 2D 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 -1BEF0A57BE110FD [ 160] 34 36 37 41 0D 0A 43 6F 6E 74 65 6E 74 2D 44 69 467A..Content-Di [ 176] 73 70 6F 73 69 74 69 6F 6E 3A 20 66 6F 72 6D 2D sposition: form- [ 192] 64 61 74 61 3B 20 6E 61 6D65 3D 22 75 70 22 0D data; name="up".[ 208] 0A 0D 0A 38 36 31 31 34 33 36 31 0D 0A 2D 2D 31 ...86114361..--1 [ 224] 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 BEF0A57BE110FD46 [ 240] 37 41 0D 0A 43 6F 6E 74 65 6E 74 2D 44 69 73 70 7A..Content-Disp [ 256] 6F 73 69 74 69 6F 6E 3A 20 66 6F 72 6D 2D 64 61 osition: form-da [ 272] 74 61 3B 20 6E 61 6D 65 3D 22 7762 66 6C 22 0D ta; name="wbfl".[ 288] 0A 0D 0A 31 0D 0A 2D 2D 31 42 45 46 30 41 35 37 ...1..--1BEF0A57 [ 304] 42 45 31 31 30 46 44 34 36 37 41 0D 0A 43 6F 6E BE110FD467A..Con [ 320] 74 65 6E 74 2D 44 69 73 70 6F 73 69 74 69 6F 6E tent-Disposition [ 336] 3A 20 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D : form-data; nam [ 352] 65 3D 22 76 22 0D 0A 0D 0A 31 37 38 0D 0A 2D 2D e="v"....178..-- [ 368] 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 1BEF0A57BE110FD4 [ 384] 36 37 41 0D 0A 43 6F 6E 74 65 6E 74 2D 44 69 73 67A..Content-Dis [ 400] 70 6F 73 69 74 69 6F 6E 3A 20 66 6F 72 6D 2D 64 position: form-d [ 416] 61 74 613B 20 6E 61 6D 65 3D 22 70 69 6E 67 22 ata; name="ping"[ 432] 0D 0A 0D 0A 38 33 32 0D 0A 2D 2D 31 42 45 46 30....832..--1BEF0 [ 448] 41 35 37 42 45 31 31 30 46 44 34 36 37 41 0D 0AA57BE110FD467A..[ 464] 43 6F 6E 74 65 6E 74 2D 44 69 73 70 6F 73 69 74 Content-Disposit [ 480] 69 6F 6E 3A 20 66 6F 72 6D 2D 64 61 74 61 3B 20 ion: form-data; [ 496] 6E 61 6D 65 3D 22 67 75 69 64 22 0D 0A 0D 0A 7B name="guid"....{ [ 512] 44 41 35 36 45 35 43 30 2D 32 30 34 37 2D 34 30 DA56E5C0-2047-40 [ 528] 46 38 2D 42 32 42 44 2D 46 37 42 44 30 35 43 35 F8-B2BD-F7BD05C5 [ 544] 32 38 36 31 7D 0D 0A 2D 2D 31 42 45 46 30 41 35 2861}..--1BEF0A5 [ 560] 37 42 45 31 31 30 46 44 34 36 37 41 0D 0A 43 6F 7BE110FD467A..Co [ 576] 6E 74 65 6E 74 2D 44 69 73 70 6F 73 69 74 69 6F ntent-Dispositio [ 592] 6E 3A 20 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 n: form-data; na [ 608] 6D 65 3D 22 77 76 22 0D 0A 0D 0A 36 23 32 23 31 me="wv"....6#2#1 [ 624] 23 30 23 37 36 30 31 23 36 34 32 0D 0A 2D 2D 31 #0#7601#642..--1 [ 640] 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 BEF0A57BE110FD46 [ 656] 37 41 0D 0A 43 6F 6E 74 65 6E 74 2D 44 69 73 70 7A..Content-Disp [ 672] 6F 73 69 74 69 6F 6E 3A 20 66 6F 72 6D2D 64 61 osition: form-da [ 688] 74 61 3B 20 6E 61 6D 65 3D 22 6D 73 22 0D 0A 0D ta; name="ms"...[ 704] 0A 30 3A 30 3A 30 3A 30 3A 30 3A 30 3A 30 3A 30 .0:0:0:0:0:0:0:0 [ 720] 3A 30 3A 30 3A 30 3A 30 3A 30 3A 30 3A 30 3A 30 :0:0:0:0:0:0:0:0 [ 736] 3A 30 0D 0A 2D 2D 31 42 45 46 30 41 35 37 42 45 :0..--1BEF0A57BE [ 752] 31 31 30 46 44 34 36 37 41 0D 0A 43 6F 6E 74 65 110FD467A..Conte [ 768] 6E 74 2D 44 69 73 70 6F 73 69 7469 6F 6E 3A 20 nt-Disposition:[ 784] 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D form-data; name= [ 800] 22 73 72 22 0D 0A 0D 0A 30 0D 0A 2D 2D 31 42 45 "sr"....0..--1BE [ 816] 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 F0A57BE110FD467A [ 832] 0D 0A 43 6F 6E 74 65 6E 74 2D 44 69 73 70 6F 73 ..Content-Dispos [ 848] 69 74 69 6F 6E 3A 20 66 6F 72 6D 2D 64 61 74 61 ition: form-data [ 864] 3B 20 6E 61 6D 65 3D 22 61 72 22 0D 0A 0D 0A 30 ; name="ar"....0 [ 880] 0D 0A 2D 2D 31 42 45 46 3041 35 37 42 45 31 31 ..--1BEF0A57BE11[ 896] 30 46 44 34 36 37 41 2D 2D 0D 0A 0FD467A--.. Barnyard2-1.10 only inserted the first packet shown above into the snort.data table?? What happen to the second packet?? We are not using tagged packets We are in a heap of trouble here because we can't show in the payload where the markers were for the rule that fired the event?? I have your source open and ready to patch.. Thanks, Larry ----- Original Message ----- From: "firnsy" <firnsy () securixlive com> To: "Lawrence R. Hughes, Sr." <lhughes () safemedia com> Cc: <beenph () gmaill com>; "safwat fahmy" <safwat.fahmy () safemedia com> Sent: Thursday, October 04, 2012 7:02 AM Subject: Re: barnyard2-1.10 build 310 > On Wed, 2012-10-03 at 13:44 -0400, Lawrence R. Hughes, Sr. wrote: >> Hi Firnsy, > > G'day Larry, > >> We are having problems with this build, it appears you are not >> inserting all the packets that were in the snort unified2 log file.. >> We checked the snort2.9.3.1 unified2 log file with u2spewfoo and >> the event packets were there, but never got inserted into the >> mysql data table only the first packet??? > > Are you talking about tagged packets? If so you're also saying that > tagged packets used to be appended in 2-1.9 and are no longer in2-1.10.> > The database has undergone serious optimisations in this version > and it's possible this is a regression. I can't immediately see why > it would be sending tagged packets. > > Can you provide your snort.conf and barnyard2.conf (sans passwords) > and the barnyard2 command invocation you're using. > >> We are also seeing alerts showup without the msg for the alert >> which is in the sid-msg.map? We verified the sid number was in the >> sid-msg.map, but barnyard2 didn't send it through?? > > Ok, it seems there are bigger issues are afoot here. I've cc'd Eric > who has done the optimisations on this "soon to be legacy" db > plugin and should be able to explain > > Regards, > firnsy >
Attachment:
snort.log.1350901409
Description:
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 24)
- Re: barnyard2-1.10 major problem beenph (Oct 24)
- Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 24)
- Re: barnyard2-1.10 major problem beenph (Oct 24)
- Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 24)
- Re: barnyard2-1.10 major problem beenph (Oct 24)
- Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 24)
- Re: barnyard2-1.10 major problem beenph (Oct 24)
- <Possible follow-ups>
- Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 24)
- Re: barnyard2-1.10 major problem beenph (Oct 24)
- Message not available
- Fwd: Re: barnyard2-1.10 major problem Jack (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem beenph (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem beenph (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem beenph (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem beenph (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 25)
- Re: barnyard2-1.10 major problem beenph (Oct 24)