Snort mailing list archives
Re: Fwd: Re: barnyard2-1.10 major problem
From: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Date: Thu, 25 Oct 2012 12:33:38 -0400
Beenph, snort did not break the following into two (2) different events unified2 output from snort.log: (Event) sensor id: 0 event id: 1 event second: 1350903278 event mi crosecond: 178786 sig id: 2805523 gen id: 1 revision: 1 classification: 21 priority: 1 ip source: 172.25.236.179 ip destination: 207.171. 163.31 src port: 4926 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 1 event second: 1350903278 packet second: 1350903278 packet microsecond: 178786 linktype: 1 packet_length: 449 [ 0] 00 0E 0C C1 D5 7B 00 0D 66 DC D0 00 08 00 45 00 .....{..f.....E. [ 16] 01 B3 7F 06 40 00 40 06 AE A6 AC 19 EC B3 CF AB ....@.@......... [ 32] A3 1F 13 3E 00 50 41 49 60 BC AA E5 94 90 50 18 ...>.PAI`.....P. [ 48] 19 20 84 D8 00 00 47 45 54 20 2F 69 6E 73 74 61 . ....GET /insta [ 64] 6C 6C 65 72 2E 67 69 66 3F 61 63 74 69 6F 6E 3D ller.gif?action= [ 80] 66 69 6E 69 73 68 65 64 26 62 72 6F 77 73 65 72 finished&browser [ 96] 3D 69 65 37 26 76 65 72 3D 31 5F 32 33 5F 31 35 =ie7&ver=1_23_15 [ 112] 31 5F 31 35 31 26 62 69 63 3D 44 36 44 44 36 46 1_151&bic=D6DD6F [ 128] 43 43 43 36 33 38 34 43 42 46 41 43 33 32 32 32 CCC6384CBFAC3222 [ 144] 34 39 41 33 31 33 36 44 37 31 49 45 26 61 70 70 49A3136D71IE&app [ 160] 3D 34 34 39 33 26 61 70 70 76 65 72 3D 34 30 26 =4493&appver=40& [ 176] 76 65 72 69 66 69 65 72 3D 31 63 36 32 66 61 39 verifier=1c62fa9 [ 192] 61 34 61 33 36 33 32 34 63 33 36 35 38 34 64 38 a4a36324c36584d8 [ 208] 31 34 35 39 65 33 36 62 32 26 73 72 63 69 64 3D 1459e36b2&srcid= [ 224] 38 38 39 37 34 26 73 75 62 69 64 3D 64 65 66 61 88974&subid=defa [ 240] 75 6C 74 26 7A 64 61 74 61 3D 38 38 39 37 34 26 ult&zdata=88974& [ 256] 73 75 62 69 64 3D 26 70 69 64 3D 31 33 32 32 26 subid=&pid=1322& [ 272] 66 66 3D 30 5F 38 35 26 63 68 3D 31 5F 32 30 5F ff=0_85&ch=1_20_ [ 288] 33 37 26 64 65 66 61 75 6C 74 3D 69 65 26 6F 73 37&default=ie&os [ 304] 3D 58 50 26 61 64 6D 69 6E 3D 31 26 74 79 70 65 =XP&admin=1&type [ 320] 3D 31 32 34 31 37 26 61 73 77 3D 30 20 48 54 54 =12417&asw=0 HTT [ 336] 50 2F 31 2E 30 0D 0A 55 73 65 72 2D 41 67 65 6E P/1.0..User-Agen [ 352] 74 3A 20 4E 53 49 53 5F 49 6E 65 74 63 20 28 4D t: NSIS_Inetc (M [ 368] 6F 7A 69 6C 6C 61 29 0D 0A 48 6F 73 74 3A 20 73 ozilla)..Host: s [ 384] 74 61 74 73 2E 63 72 6F 73 73 72 69 64 65 72 2E tats.crossrider. [ 400] 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A com..Connection: [ 416] 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 50 72 61 Keep-Alive..Pra [ 432] 67 6D 61 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 0D gma: no-cache... [ 448] 0A . Packet sensor id: 0 event id: 1 event second: 1350903278 packet second: 1350903278 packet microsecond: 300156 linktype: 1 packet_length: 381 [ 0] 00 0E 0C C1 D5 7B 00 0D 66 DC D0 00 08 00 45 00 .....{..f.....E. [ 16] 01 6F 7F 08 40 00 40 06 AE E8 AC 19 EC B3 CF AB .o..@.@......... [ 32] A3 1F 13 3E 00 50 41 49 62 47 AA E5 96 5E 50 18 ...>.PAIbG...^P. [ 48] 1D 50 BB 8D 00 00 47 45 54 20 2F 61 70 70 73 2E .P....GET /apps. [ 64] 67 69 66 3F 61 63 74 69 6F 6E 3D 69 6E 73 74 61 gif?action=insta [ 80] 6C 6C 26 62 72 6F 77 73 65 72 3D 69 65 37 26 76 ll&browser=ie7&v [ 96] 65 72 3D 31 5F 32 33 5F 31 35 31 5F 31 35 31 26 er=1_23_151_151& [ 112] 62 69 63 3D 44 36 44 44 36 46 43 43 43 36 33 38 bic=D6DD6FCCC638 [ 128] 34 43 42 46 41 43 33 32 32 32 34 39 41 33 31 33 4CBFAC322249A313 [ 144] 36 44 37 31 49 45 26 61 70 70 3D 34 34 39 33 26 6D71IE&app=4493& [ 160] 61 70 70 76 65 72 3D 34 30 26 76 65 72 69 66 69 appver=40&verifi [ 176] 65 72 3D 31 63 36 32 66 61 39 61 34 61 33 36 33 er=1c62fa9a4a363 [ 192] 32 34 63 33 36 35 38 34 64 38 31 34 35 39 65 33 24c36584d81459e3 [ 208] 36 62 32 26 69 6E 73 74 61 6C 6C 74 69 6D 65 3D 6b2&installtime= [ 224] 31 33 35 30 39 31 38 31 34 39 26 63 75 72 74 69 1350918149&curti [ 240] 6D 65 3D 31 33 35 30 39 31 38 31 34 39 26 6C 69 me=1350918149&li [ 256] 66 65 74 69 6D 65 3D 30 20 48 54 54 50 2F 31 2E fetime=0 HTTP/1. [ 272] 30 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4E 0..User-Agent: N [ 288] 53 49 53 5F 49 6E 65 74 63 20 28 4D 6F 7A 69 6C SIS_Inetc (Mozil [ 304] 6C 61 29 0D 0A 48 6F 73 74 3A 20 73 74 61 74 73 la)..Host: stats [ 320] 2E 63 72 6F 73 73 72 69 64 65 72 2E 63 6F 6D 0D .crossrider.com. [ 336] 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 .Connection: Kee [ 352] 70 2D 41 6C 69 76 65 0D 0A 50 72 61 67 6D 61 3A p-Alive..Pragma: [ 368] 20 6E 6F 2D 63 61 63 68 65 0D 0A 0D 0A no-cache.... There is one(1) event header and two (2) packets! If snort wanted two (2) events it would have put two (2) event headers in the unified2 log file.. You have it all wrong beenph! Just ask the guys at SF the above should be treated as a single event with 2 packets. When can you fix this in spooler.c??? Thanks, Larry ----- Original Message ----- From: "beenph" <beenph () gmail com> To: "Lawrence R. Hughes, Sr." <lhughes () safemedia com> Cc: <barnyard2-users () googlegroups com>; "snort-users" <snort-users () lists sourceforge net> Sent: Thursday, October 25, 2012 12:02 PM Subject: Re: [Snort-users] Fwd: Re: barnyard2-1.10 major problem
On Thu, Oct 25, 2012 at 11:57 AM, Lawrence R. Hughes, Sr. <lhughes () safemedia com> wrote:Beenph, So what I see and correct me if I am wrong, you take a single event from snort that has 2 packets and create 2 seperate events in the database. So if i had a single event from snort that has 6 packets that are all listed with the same event_id barnyard would create 6 events in snort.event database correct? If this is the case, please explain why you would break the packets from a single event into several events.Thats exact. We do not break anything up, it logged to the database as its present in the unified2 file UNIFIED2_RECORD_HEADER EVENT X UNIFIED2_RECORD_HEADER PACKET1 EVENT X UNIFIED2_RECORD_HEADER PACKET2 EVENT X UNIFIED2_RECORD_HEADER PACKETN EVENT X -elz
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Fwd: Re: barnyard2-1.10 major problem, (continued)
- Re: Fwd: Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem beenph (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem beenph (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem beenph (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem beenph (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem beenph (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem beenph (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem Lawrence R. Hughes, Sr. (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem beenph (Oct 25)
- Message not available
- Re: FW: Fwd: Re: barnyard2-1.10 major problem beenph (Oct 25)
- Re: Fwd: Re: barnyard2-1.10 major problem Safwat Fahmy (Oct 27)