Issue / error with unified2 output when enabling appid_event_types

[Noah Dietrich <noah_dietrich () 86penny org>]

There seems to be an error with the snort output if you add
*appid_event_types* to the unified2 output command in snort.conf.  This
error manifests when you try to process the output with barnyard2.  For
example, if you specify the following line in your snort.conf for output:
        output unified2: filename snort.u2, limit 128, appid_event_types.

If you omit  the *appid_event_types*, then barnyard2 can process the
unified2 files created by snort with no issues.
If you have the  *appid_event_types *enabled, then barnyard2 gives the
following error for each alert in the unified2 file:

WARNING database [Database()]: Called with Event[0x0] Event Type [0]
(P)acket [0x28c9e80], information has not been outputed.


Running u2spewfoo on the two different outputs (the one that works vs. the
one that doesn't), it seems if you add appid_event_types to your output,
you get a lot of extra stuff added:

u2spewfoo *with* appid_event_types enabled
snort.conf output configuration is: output unified2: filename snort.u2,
limit 128, appid_event_types
(Event)
sensor id: 0 event id: 1 event second: 1455743187 event microsecond: 409655
sig id: 10000001 gen id: 1 revision: 1 classification: 31
priority: 3 ip source: 192.168.1.110 ip destination: 10.0.0.115
src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0


u2spewfoo *without* appid_event_types enabled
snort.conf output configuration is: output unified2: filename snort.u2,
limit 128
(Event)
sensor id: 0 event id: 1 event second: 1455743356 event microsecond: 392828
sig id: 10000001 gen id: 1 revision: 1 classification: 31
priority: 3 ip source: 192.168.1.110 ip destination: 10.0.0.115
src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0
mpls label: 0 vland id: 0 policy id: 0 appid:


you will see above that *mpls label, vlan id, policy id, and appid* are
included in the alert output, even though not configured to do so in
snort.conf.  the appid field looks to be empty, could that be  the issue?

I also found that snort always outputs the openappid data
(appstats-u2.log.nnnnnnnn) if openappied is configured, even if not
configured to do so by snort's output stanza.


My Setup:
Running Snort 2.9.8.0 on Ubuntu 14.04 x64.
build options: ./configure --enable-sourcefire --enable-open-appid

running latest OpenAppID detector rules (
https://snort.org/downloads/openappid/3192)
Build instructions from the Ubuntu guide on snort.org, with additional
openappid steps from
http://sublimerobots.com/2015/12/openappid-snort-2-9-8-x-on-ubuntu/

Snort is run as follows:
sudo /usr/local/bin/snort -q -c /etc/snort/snort.conf -i eth0 -u snort -g
snort

Barnyard2 is run as follows:
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2
-w /var/log/snort/barnyard2.waldo -g snort -u snort

Local.rules (only 1 rule enabled for snort):
alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; GID:1;
sid:10000001; rev:001; classtype:icmp-event;)

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!