Snort mailing list archives

Previous By Date Next
Previous By Thread Next

ruletype declaration breaks u2 output for log_uri/log_hostname (with testcase)

From: Martijn van Oosterhout <kleptog () gmail com>
Date: Wed, 11 Jun 2014 18:01:24 +0200
Hi,

I sent the following message to bugs () snort org but got no response. I'm
posting it here in the hope it saves someone a few days trying to work out
why a documented feature doesn't work. I've done some tracing with gdb and
reading of the code but I can't for the life of me figure out how the mere
existence of an additional output plugin that is never used can change the
behaviour of the logging of extra data.

Perhaps someone here has some ideas?

Have a nice day,

---------- Forwarded message ----------

When analysing alerts on HTTP streams it is be useful to have access to the
URI and hostname, so the log_uri and log_hostname options sounded really
nice. However, when I tried to get them working I couldn't. Eventually I
narrowed it down to the presence of the unified output inside a custom
ruletype declaration.

With the declaration there is no output in the u2 file. Commenting out the
declaration makes the extra data appear in the u2 file.

Snort version: 2.9.6.0, but appears to affect older versions as well
Rules: 1 test rule
Built from source, ./configure --enable-debug
Configuration is attached.
Platform: Ubuntu 14.04.

Basically, the snort.conf looks as follows:

---
ruletype alert_testing {
  type alert
#  output unified2: filename snort.testing.u2, limit 128
  output alert_fast: testing.fast_alert
}
include classification.config
include reference.config
include variables.config

alert tcp any any -> any any (msg:"WEB-MISC /~root access";
flow:to_server,established;  uricontent:"/~root"; nocase; metadata:service
http; classtype:attempted-recon; sid:22000049; rev:8;)
---
Variables.conf and pcap are attached. The classification.conf and
reference.conf are standard. Note that the ruletype is not actually used
anywhere, just it being there is enough.

Testing is as follows:

# /usr/local/bin/snort -c /tmp/conf2/snort.conf -l  /tmp -k none -r
/tmp/b.pcap

As is the rule matches and the /tmp/snort.u2.* file contains the following
using u2spewfoo
---
(ExtraDataHdr)
        event type: 4   event length: 39

(ExtraData)
        sensor id: 0    event id: 1     event second: 1401805955
        type: 9 datatype: 1     bloblength: 15  HTTP URI: /~root/

(ExtraDataHdr)
        event type: 4   event length: 44

(ExtraData)
        sensor id: 0    event id: 1     event second: 1401805955
        type: 10        datatype: 1     bloblength: 20  HTTP Hostname:
slashdot.org
---

Uncomment the line in the ruletype declaration and the alert still fires
but without extra data.

Thanks in advance.

-- 
Martijn van Oosterhout <kleptog () gmail com> http://svana.org/kleptog/

Attachment: snort.conf
Description:

Attachment: variables.config
Description:

Attachment: b.pcap
Description: 

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: