Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: unified2 - multiple events and single packet question

From: Jeff Sundquist <jeffsundquist () gmail com>
Date: Wed, 26 Mar 2014 19:52:51 -0400
Answering own question ( got private email from others ):

Yes, there should be a packet after each event.

I was using 2.9.2.3 for my test.  I updated to 2.9.6.0 and now see the
packets after each event.

I broke rule #1 : always update to latest before posting....

Found the following in the changelog for 2.9.3 which probably fixed it:

      - Correctly log TCP segments to unified2 when there are multiple
alerts on
        the same reassembled packet.

Thanks,
Jeff



On Wed, Mar 26, 2014 at 4:36 PM, Jeff Sundquist <jeffsundquist () gmail com>wrote:


I have a single packet that triggers multiple rules and I end up with the
following unified2 from it:

(Event)
sensor id: 0 event id: 1 event second: 1395855838 event microsecond:
898374
 sig id: 2011967 gen id: 1 revision: 3  classification: 29
 priority: 1 ip source: 192.168.34.253 ip destination: 192.168.234.100
src port: 60968 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0

Packet
sensor id: 0 event id: 1 event second: 1395855838
 packet second: 1395855838 packet microsecond: 898374
linktype: 1 packet_length: 207
[    0] 00 0C 29 88 8C 67 00 22 19 D4 DC 85 08 00 45 00  ..)..g."......E.
[   16] 00 C1 1E 70 40 00 40 06 8D 14 C0 A8 22 FD C0 A8  ...p@.@....."...
[   32] EA 64 EE 28 00 50 29 B8 0F 2E 7E 4D 21 1E 50 18  .d.(.P)...~M!.P.
[   48] 00 5C 74 F9 00 00 47 45 54 20 2F 63 6D 64 2E 65  .\t...GET /cmd.e
[   64] 78 65 3F 31 32 26 66 6F 6F 3D 2F 62 6F 74 2E 65  xe?12&foo=/bot.e
[   80] 78 65 26 62 61 72 3D 31 31 32 20 48 54 54 50 2F  xe&bar=112 HTTP/
[   96] 31 2E 30 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A  1.0..User-Agent:
[  112] 20 57 67 65 74 2F 31 2E 31 30 2E 32 20 28 52 65   Wget/1.10.2 (Re
[  128] 64 20 48 61 74 20 6D 6F 64 69 66 69 65 64 29 0D  d Hat modified).
[  144] 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 48 6F  .Accept: */*..Ho
[  160] 73 74 3A 20 31 39 32 2E 31 36 38 2E 32 33 34 2E  st: 192.168.234.
[  176] 31 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A  100..Connection:
[  192] 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A      Keep-Alive....

(Event)
sensor id: 0 event id: 2 event second: 1395855838 event microsecond:
898374
 sig id: 2009361 gen id: 1 revision: 4  classification: 21
 priority: 2 ip source: 192.168.34.253 ip destination: 192.168.234.100
src port: 60968 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0

(Event)
sensor id: 0 event id: 3 event second: 1395855838 event microsecond:
898374
 sig id: 1002 gen id: 1 revision: 10  classification: 30
 priority: 1 ip source: 192.168.34.253 ip destination: 192.168.234.100
src port: 60968 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0


Question : Is this the correct behavior?  The unified2 doc states the
following "A Unified2 Packet is provided with each Unified2 Event record".


I ask because barnyard2 isn't recording all three signatures since there
is no packet included.  I want to know whether I need to update barnyard2
or if there is an issue with snort or if I'm missing something.

One more...  If a single packet for 3 rules is correct, is there a way to
associate event 2 and 3 with the packet?

Thanks,
Jeff


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: