Snort mailing list archives
Issue / error with unified2 output when enabling appid_event_types
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Wed, 17 Feb 2016 17:41:29 +0100
There seems to be an error with the snort output if you add *appid_event_types* to the unified2 output command in snort.conf. This error manifests when you try to process the output with barnyard2. For example, if you specify the following line in your snort.conf for output: output unified2: filename snort.u2, limit 128, appid_event_types. If you omit the *appid_event_types*, then barnyard2 can process the unified2 files created by snort with no issues. If you have the *appid_event_types *enabled, then barnyard2 gives the following error for each alert in the unified2 file: WARNING database [Database()]: Called with Event[0x0] Event Type [0] (P)acket [0x28c9e80], information has not been outputed. Running u2spewfoo on the two different outputs (the one that works vs. the one that doesn't), it seems if you add appid_event_types to your output, you get a lot of extra stuff added: u2spewfoo *with* appid_event_types enabled snort.conf output configuration is: output unified2: filename snort.u2, limit 128, appid_event_types (Event) sensor id: 0 event id: 1 event second: 1455743187 event microsecond: 409655 sig id: 10000001 gen id: 1 revision: 1 classification: 31 priority: 3 ip source: 192.168.1.110 ip destination: 10.0.0.115 src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0 u2spewfoo *without* appid_event_types enabled snort.conf output configuration is: output unified2: filename snort.u2, limit 128 (Event) sensor id: 0 event id: 1 event second: 1455743356 event microsecond: 392828 sig id: 10000001 gen id: 1 revision: 1 classification: 31 priority: 3 ip source: 192.168.1.110 ip destination: 10.0.0.115 src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0 mpls label: 0 vland id: 0 policy id: 0 appid: you will see above that *mpls label, vlan id, policy id, and appid* are included in the alert output, even though not configured to do so in snort.conf. the appid field looks to be empty, could that be the issue? I also found that snort always outputs the openappid data (appstats-u2.log.nnnnnnnn) if openappied is configured, even if not configured to do so by snort's output stanza. My Setup: Running Snort 2.9.8.0 on Ubuntu 14.04 x64. build options: ./configure --enable-sourcefire --enable-open-appid running latest OpenAppID detector rules ( https://snort.org/downloads/openappid/3192) Build instructions from the Ubuntu guide on snort.org, with additional openappid steps from http://sublimerobots.com/2015/12/openappid-snort-2-9-8-x-on-ubuntu/ Snort is run as follows: sudo /usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0 -u snort -g snort Barnyard2 is run as follows: sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort Local.rules (only 1 rule enabled for snort): alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Issue / error with unified2 output when enabling appid_event_types Noah Dietrich (Feb 17)