Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Events with no packet data

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 09 Jul 2014 16:24:41 -0600
On 2014-07-09 16:22, Y M wrote:

To: snort-users () lists sourceforge net
Date: Tue, 8 Jul 2014 11:07:01 -0600
From: jlay () slave-tothe-box net
Subject: [Snort-users] Events with no packet data

Interesting...from the u2 file:

(Event)
sensor id: 0 event id: 1888 event second: 1404838420
event microsecond: 303235
sig id: 2015622 gen id: 1 revision: 1
classification: 21
priority: 1 ip source: x.x.x.x ip destination: x.x.x.x
src port: 80 dest port: 49211 protocol: 6
impact_flag: 0 blocked: 0

(ExtraDataHdr)
event type: 4 event length: 38

(ExtraData)
sensor id: 0 event id: 1888 event second: 1404838420
type: 9 datatype: 1 bloblength: 14 HTTP URI: /index

(ExtraDataHdr)
event type: 4 event length: 56

(ExtraData)
sensor id: 0 event id: 1888 event second: 1404838420
type: 10 datatype: 1 bloblength: 32 HTTP Hostname:
www.favfamilyrecipes.com

And that's it...this should up as src/dst 0.0.0.0 in my sguil

console.

Is there a way to figure out exactly when the packet information

wasn't

included? Thanks.


Was this the end of the event in the u2 file? Usually some events 
span
multiple u2 records (my translation) and you may have to look further
if there is additional records. Also, try to convert the u2 file into
a pcap using the u2boat tool. This may not resolve the issue but at
least will allow you to peak inside the packet itself within 
Wireshark
or so. Perhaps following the stream as well may provide additional
information (packets). This worked for me in certain situations.

Looking at the rule itself, it has multiple content matches; it had 
to
trigger on that particular content to generate that event!

YM


Thanks YM....it wasn't at the end...but I'll do some digging with 
u2boat and whatnot to see what I can see...thanks for the look see.

James

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: