Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: barnyard2-1.10 major problem

From: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Date: Wed, 24 Oct 2012 12:03:17 -0400
Here is our reponse to Firnsy:
----- Original Message ----- From: "Lawrence R. Hughes, Sr." <lhughes () safemedia com> 
To: "firnsy" <firnsy () securixlive com>
Cc: "safwat fahmy" <safwat.fahmy () safemedia com>
Sent: Monday, October 22, 2012 12:08 PM
Subject: Re: barnyard2-1.10 build 310



Hi Firnsy,

Not sure what you wanted me to do with u2_anon (packaged as a windows zip
w/src code)
Can't compile windows srource code.

We made the change you suggested (Increase CACHED_EVENTS_MAX )

This did not help!!
I am attaching the org. snort unified2 file and you will see one event with 
2 packets,
however by2 only inserted the first packet and this happened after we
modified by2 as you suggested.

Thanks,
Larry





On Fri, Oct 19, 2012 at 6:45 PM, firnsy <firnsy () securixlive com> wrote:>
Mate,

Hum how large is your unified2 file? i think what happening is that you
are
hitting cache maximum.
In src/spooler.c change line 44 #define CACHED_EVENTS_MAX 256

and set it to 1024 or even 2048.

I am under the impression that what is happening is that the packet you
are
mentionning is hitting the cache limit and when the cache get recycled,
your
packet is logged since its hitting an orphan event.

If that dosen't work i would appreciate if you can use u2_anon ->
https://github.com/binf/u2_anon

And send us your unified2 file.

But for the record change that have been done in the database output
plugin
shouldn't affect how stream packets get logged.

Let us know how it goes.

-elz




-------- Forwarded Message --------

From: Lawrence R. Hughes, Sr. <lhughes () safemedia com>
To: firnsy <firnsy () securixlive com>
Cc: safwat fahmy <safwat.fahmy () safemedia com>
Subject: Re: barnyard2-1.10 build 310
Date: Fri, 19 Oct 2012 14:12:39 -0400

We are still having a problem with barnyard2-1.10 inserting the
packets into
mysql:

Here is an event from snorts unified2 logfile decoded with u2spewfoo:

(Event)
        sensor id: 0    event id: 13    event second: 1350640282
event microsecond: 285798
sig id: 2007728 gen id: 1 revision: 7 classification: 
21

        priority: 1     ip source: 209.243.55.105       ip destination:
178.77.103.54
        src port: 26343 dest port: 8080 protocol: 6     impact_flag: 0
blocked: 0

Packet
        sensor id: 0    event id: 13    event second: 1350640282
        packet second: 1350640282       packet microsecond: 285798
        linktype: 1     packet_length: 371
[    0] 00 00 0C 07 AC 00 00 0E 84 EB 44 80 08 00 45 00
..........D...E.
[   16] 01 65 73 44 40 00 40 06 A3 6E D1 F3 37 69 B2 4D
.esD@.@..n..7i.M
[   32] 67 36 66 E7 1F 90 55 CF 83 69 F0 57 AF 89 50 18
g6f...U..i.W..P.
[   48] 01 02 8D 8E 00 00 50 4F 53 54 20 2F 69 6E 64 65  ......POST
/inde
[   64] 78 2E 70 68 70 20 48 54 54 50 2F 31 2E 31 0D 0A  x.php
HTTP/1.1..
[   80] 48 6F 73 74 3A 20 31 37 38 2E 37 37 2E 31 30 33  Host:
178.77.103
[   96] 2E 35 34 3A 38 30 38 30 3A 38 30 0D 0A 55 73 65
.54:8080:80..Use
[  112] 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61  r-Agent:
Mozilla [  128] 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65  /4.0
(compatible [  144] 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 64
; MSIE 6.0; Wind [ 160] 6F 77 73 20 4E 54 20 36 2E 31 3B 20 53 56 31 3B 
ows NT 6.1; SV1;

[  176] 20 2E 4E 45 54 20 43 4C 52 20 31 2E 31 2E 34 37   .NET CLR
1.1.47
[  192] 37 37 29 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A  77)..Accept:
*/* [  208] 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67
..Accept-Languag [  224] 65 3A 20 65 6E 2D 67 62 0D 0A 41 63 63 65 70
74  e: en-gb..Accept [  240] 2D 45 6E 63 6F 64 69 6E 67 3A 20 64 65
66 6C 61  -Encoding: defla [  256] 74 65 0D 0A 43 61 63 68 65 2D 43
6F 6E 74 72 6F  te..Cache-Contro [  272] 6C 3A 20 6E 6F 2D 63 61 63
68 65 0D 0A 43 6F 6E  l: no-cache..Con [  288] 74 65 6E 74 2D 54 79
70 65 3A 20 6D 75 6C 74 69  tent-Type: multi [  304] 70 61 72 74 2F
66 6F 72 6D 2D 64 61 74 61 3B 20  part/form-data; [  320] 62 6F 75 6E
64 61 72 79 3D 31 42 45 46 30 41 35  boundary=1BEF0A5 [  336] 37 42
45 31 31 30 46 44 34 36 37 41 0D 0A 43 6F  7BE110FD467A..Co [  352] 6E
74

65 6E 74 2D 4C 65 6E 67 74 68 3A 20 38 35  ntent-Length: 85

[  368] 31 0D 0A                                         1..

Packet
        sensor id: 0    event id: 13    event second: 1350640282
        packet second: 1350640282       packet microsecond: 402773
        linktype: 1     packet_length: 907
[    0] 00 00 0C 07 AC 00 00 0E 84 EB 44 80 08 00 45 00
..........D...E.
[   16] 03 7D 73 45 40 00 40 06 A1 55 D1 F3 37 69 B2 4D
.}sE@.@..U..7i.M
[   32] 67 36 66 E7 1F 90 55 CF 84 A6 F0 57 AF 89 50 18
g6f...U....W..P.
[   48] 01 02 DA BE 00 00 0D 0A 2D 2D 31 42 45 46 30 41
........--1BEF0A
[   64] 35 37 42 45 31 31 30 46 44 34 36 37 41 0D 0A 43
57BE110FD467A..C
[   80] 6F 6E 74 65 6E 74 2D 44 69 73 70 6F 73 69 74 69
ontent-Dispositi
[   96] 6F 6E 3A 20 66 6F 72 6D 2D 64 61 74 61 3B 20 6E  on: form-data;
n
[  112] 61 6D 65 3D 22 73 69 64 22 0D 0A 0D 0A 35 35 36
ame="sid"....556 [  128] 31 31 33 35 35 31 31 34 32 31 32 36 35 0D 0A
2D  1135511421265..- [  144] 2D 31 42 45 46 30 41 35 37 42 45 31 31
30 46 44  -1BEF0A57BE110FD [  160] 34 36 37 41 0D 0A 43 6F 6E 74 65
6E 74 2D 44 69  467A..Content-Di [  176] 73 70 6F 73 69 74 69 6F 6E
3A 20 66 6F 72 6D 2D  sposition: form- [  192] 64 61 74 61 3B 20 6E 61
6D

65 3D 22 75 70 22 0D  data; name="up".

[  208] 0A 0D 0A 38 36 31 31 34 33 36 31 0D 0A 2D 2D 31
...86114361..--1 [  224] 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34
36  BEF0A57BE110FD46 [  240] 37 41 0D 0A 43 6F 6E 74 65 6E 74 2D 44
69 73 70  7A..Content-Disp [  256] 6F 73 69 74 69 6F 6E 3A 20 66 6F
72 6D 2D 64 61  osition: form-da [  272] 74 61 3B 20 6E 61 6D 65 3D 22
77

62 66 6C 22 0D  ta; name="wbfl".

[  288] 0A 0D 0A 31 0D 0A 2D 2D 31 42 45 46 30 41 35 37
...1..--1BEF0A57 [  304] 42 45 31 31 30 46 44 34 36 37 41 0D 0A 43 6F
6E  BE110FD467A..Con [  320] 74 65 6E 74 2D 44 69 73 70 6F 73 69 74
69 6F 6E  tent-Disposition [  336] 3A 20 66 6F 72 6D 2D 64 61 74 61
3B 20 6E 61 6D  : form-data; nam [  352] 65 3D 22 76 22 0D 0A 0D 0A
31 37 38 0D 0A 2D 2D  e="v"....178..-- [  368] 31 42 45 46 30 41 35
37 42 45 31 31 30 46 44 34  1BEF0A57BE110FD4 [  384] 36 37 41 0D 0A
43 6F 6E 74 65 6E 74 2D 44 69 73  67A..Content-Dis [  400] 70 6F 73
69 74 69 6F 6E 3A 20 66 6F 72 6D 2D 64  position: form-d [  416] 61 74
61

3B 20 6E 61 6D 65 3D 22 70 69 6E 67 22  ata; name="ping"

[  432] 0D 0A 0D 0A 38 33 32 0D 0A 2D 2D 31 42 45 46 30
....832..--1BEF0 [ 448] 41 35 37 42 45 31 31 30 46 44 34 36 37 41 0D 0A 
A57BE110FD467A..

[  464] 43 6F 6E 74 65 6E 74 2D 44 69 73 70 6F 73 69 74
Content-Disposit [  480] 69 6F 6E 3A 20 66 6F 72 6D 2D 64 61 74 61 3B
20  ion: form-data; [  496] 6E 61 6D 65 3D 22 67 75 69 64 22 0D 0A 0D
0A 7B  name="guid"....{ [  512] 44 41 35 36 45 35 43 30 2D 32 30 34
37 2D 34 30  DA56E5C0-2047-40 [  528] 46 38 2D 42 32 42 44 2D 46 37
42 44 30 35 43 35  F8-B2BD-F7BD05C5 [  544] 32 38 36 31 7D 0D 0A 2D
2D 31 42 45 46 30 41 35  2861}..--1BEF0A5 [  560] 37 42 45 31 31 30
46 44 34 36 37 41 0D 0A 43 6F  7BE110FD467A..Co [  576] 6E 74 65 6E
74 2D 44 69 73 70 6F 73 69 74 69 6F  ntent-Dispositio [  592] 6E 3A
20 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61  n: form-data; na [  608]
6D 65 3D 22 77 76 22 0D 0A 0D 0A 36 23 32 23 31  me="wv"....6#2#1 [
624] 23 30 23 37 36 30 31 23 36 34 32 0D 0A 2D 2D 31
#0#7601#642..--1 [  640] 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34
36  BEF0A57BE110FD46 [  656] 37 41 0D 0A 43 6F 6E 74 65 6E 74 2D 44
69 73 70  7A..Content-Disp [  672] 6F 73 69 74 69 6F 6E 3A 20 66 6F 72
6D

2D 64 61  osition: form-da [  688] 74 61 3B 20 6E 61 6D 65 3D 22 6D 73 22
0D
0A 0D  ta; name="ms"...

[  704] 0A 30 3A 30 3A 30 3A 30 3A 30 3A 30 3A 30 3A 30
.0:0:0:0:0:0:0:0 [  720] 3A 30 3A 30 3A 30 3A 30 3A 30 3A 30 3A 30 3A
30  :0:0:0:0:0:0:0:0 [  736] 3A 30 0D 0A 2D 2D 31 42 45 46 30 41 35
37 42 45  :0..--1BEF0A57BE [  752] 31 31 30 46 44 34 36 37 41 0D 0A
43 6F 6E 74 65  110FD467A..Conte [  768] 6E 74 2D 44 69 73 70 6F 73 69
74

69 6F 6E 3A 20  nt-Disposition:

[  784] 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D  form-data;
name= [  800] 22 73 72 22 0D 0A 0D 0A 30 0D 0A 2D 2D 31 42 45
"sr"....0..--1BE [  816] 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37
41  F0A57BE110FD467A [  832] 0D 0A 43 6F 6E 74 65 6E 74 2D 44 69 73
70 6F 73  ..Content-Dispos [  848] 69 74 69 6F 6E 3A 20 66 6F 72 6D
2D 64 61 74 61  ition: form-data [  864] 3B 20 6E 61 6D 65 3D 22 61
72 22 0D 0A 0D 0A 30  ; name="ar"....0 [  880] 0D 0A 2D 2D 31 42 45 46
30

41 35 37 42 45 31 31  ..--1BEF0A57BE11

[  896] 30 46 44 34 36 37 41 2D 2D 0D 0A                 0FD467A--..

Barnyard2-1.10 only inserted the first packet shown above into the
snort.data table??

What happen to the second packet?? We are not using tagged packets

We are in a heap of trouble here because we can't show in the payload
where the markers were for the rule that fired the event??

I have your source open and ready to patch..


Thanks,
Larry




----- Original Message -----
From: "firnsy" <firnsy () securixlive com>
To: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Cc: <beenph () gmaill com>; "safwat fahmy" <safwat.fahmy () safemedia com>
Sent: Thursday, October 04, 2012 7:02 AM
Subject: Re: barnyard2-1.10 build 310


> On Wed, 2012-10-03 at 13:44 -0400, Lawrence R. Hughes, Sr. wrote:
>> Hi Firnsy,
>
> G'day Larry,
>
>> We are having problems with this build, it appears you are not
>> inserting all the packets that were in the snort unified2 log file..
>> We checked the snort2.9.3.1 unified2 log file with u2spewfoo and
>> the event packets were there,  but never got inserted into the
>> mysql data table only the first packet???
>
> Are you talking about tagged packets? If so you're also saying that
> tagged packets used to be appended in 2-1.9 and are no longer in

2-1.10.

>
> The database has undergone serious optimisations in this version
> and it's possible this is a regression. I can't immediately see why
> it would be sending tagged packets.
>
> Can you provide your snort.conf and barnyard2.conf (sans passwords)
> and the barnyard2 command invocation you're using.
>
>> We are also seeing alerts showup without the msg for the alert
>> which is in the sid-msg.map? We verified the sid number was in the
>> sid-msg.map, but barnyard2 didn't send it through??
>
> Ok, it seems there are bigger issues are afoot here. I've cc'd Eric
> who has done the optimisations on this "soon to be legacy" db
> plugin and should be able to explain
>
> Regards,
> firnsy
>

Attachment: snort.log.1350901409
Description: 

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: