truncated json alerts in snort 3.0.1 b2

[Noah Dietrich <noah_dietrich () 86penny org>]

Hello,
I just found truncated json alerts while reviewing the logs.  I ran a large
number of pcap files through snort3 with the Registered ruleset, (and built
in rules turned off). This generated over 17,000 alerts (which is what i
expected, since i'm using 5 GB of pcaps that hold various malware as well
as the test pcap files from security onion's ISO).

However, I found that some of the alerts were written only partially with
the json output.  I have the json file size set to 10 MB, and these 17k
alerts were written across 6 files:

alert_json.txt.1588153836
alert_json.txt.1588153849
alert_json.txt.1588153871
alert_json.txt.1588153890  (first event is corrupt)
alert_json.txt.1588256824
alert_json.txt                       (first event is corrupt)


the corrupted (they look to be missing some of the first part of the event)
alerts show up in alert_json.txt at the head of the file, seem to start
mid-event right in the middle of b64 data field.
this also happens with alert_json.txt.1588153934

so as you can see, it seems that the 5th and 7th log files are each
 missing the start of at least one event.
I'm attaching screenshots showing alert_json.txt (without word-wrap so you
can see each event on it's own line) and  alert_json.txt.1588153934 with
word-wrap so you can see the whole event.



[image: alert_json.txt.png]
[image: alert_json.txt.1588153934.PNG]

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!