Snort mailing list archives
truncated json alerts in snort 3.0.1 b2
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Thu, 30 Apr 2020 16:47:00 +0200
Hello, I just found truncated json alerts while reviewing the logs. I ran a large number of pcap files through snort3 with the Registered ruleset, (and built in rules turned off). This generated over 17,000 alerts (which is what i expected, since i'm using 5 GB of pcaps that hold various malware as well as the test pcap files from security onion's ISO). However, I found that some of the alerts were written only partially with the json output. I have the json file size set to 10 MB, and these 17k alerts were written across 6 files: alert_json.txt.1588153836 alert_json.txt.1588153849 alert_json.txt.1588153871 alert_json.txt.1588153890 (first event is corrupt) alert_json.txt.1588256824 alert_json.txt (first event is corrupt) the corrupted (they look to be missing some of the first part of the event) alerts show up in alert_json.txt at the head of the file, seem to start mid-event right in the middle of b64 data field. this also happens with alert_json.txt.1588153934 so as you can see, it seems that the 5th and 7th log files are each missing the start of at least one event. I'm attaching screenshots showing alert_json.txt (without word-wrap so you can see each event on it's own line) and alert_json.txt.1588153934 with word-wrap so you can see the whole event. [image: alert_json.txt.png] [image: alert_json.txt.1588153934.PNG]
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- truncated json alerts in snort 3.0.1 b2 Noah Dietrich (Apr 30)