Snort mailing list archives

Previous By Date Next
Previous By Thread Next

odd data in -b log -- cant -r without losing alerts

From: Mcclure Gammon <gammon.mcclure () volvo com>
Date: Thu, 21 Feb 2002 16:08:55 +0100
Hi all,

Forgive the long post, but I'm a Snort/Redhat 7.2 newbie and could use some help.  Trying to run Snort-stable (1.8.3 
b88) on Redhat 7.2 with Redhat libpcap 0.6.2.  modules.conf has entry for "alias net-pf-17 af_packet"  I'm logging with 
the following command line:
snort -b -d -A full -L snort.log -c /usr/local/etc/snort.conf
After collecting some alerts, I kill -15 the process.  Now comes the problem:  I want to pull the binary dump back to 
my console for analysis (mysql/ACID), but replaying the log file creates weird results, like 2/3 of the alerts 
disappear.

These are the original alerts recorded at the sensor in the alert log:
[**] [1:1243:2] kali02 WEB-IIS ISAPI .ida attempt [**]
[Classification: Web Application Attack] [Priority: 1]
02/15-11:35:06.983693 206.247.193.14:2341 -> 204.156.78.54:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1492
***AP*** Seq: 0x1FFCAE67  Ack: 0x1571D86F  Win: 0x2798  TcpLen: 20

[**] [1:255:2] kali02 DNS zone transfer [**]
[Classification: Attempted Information Leak] [Priority: 2]
02/15-11:41:05.503693 213.64.252.16:12757 -> 204.235.196.33:53
TCP TTL:46 TOS:0x0 ID:48938 IpLen:20 DgmLen:79 DF
***AP*** Seq: 0x2A72161A  Ack: 0xA929BCC8  Win: 0x43E0  TcpLen: 32

[**] [1:1243:2] kali02 WEB-IIS ISAPI .ida attempt [**]
[Classification: Web Application Attack] [Priority: 1]
02/15-11:55:14.963693 65.35.223.4:1905 -> 204.156.78.54:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1504
***AP*** Seq: 0xCBA3C9B0  Ack: 0x9FF0DE26  Win: 0x2238  TcpLen: 20

[**] [1:257:1] kali02 DNS named version attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
02/15-11:59:21.133693 216.103.54.218:4486 -> 204.156.78.154:53
UDP TTL:51 TOS:0x0 ID:27808 IpLen:20 DgmLen:58
Len: 38

[**] [1:1156:1] kali02 WEB-MISC apache DOS attempt [**]
[Classification: Attempted Denial of Service] [Priority: 2]
02/15-11:59:56.443693 216.201.7.10:1234 -> 204.156.78.54:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1500
***AP*** Seq: 0x4049B612  Ack: 0xFE1562  Win: 0x2238  TcpLen: 20

[**] [1:1156:1] kali02 WEB-MISC apache DOS attempt [**]
[Classification: Attempted Denial of Service] [Priority: 2]
02/15-12:00:49.868523 216.201.7.10:1235 -> 204.156.78.54:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1500
***AP*** Seq: 0x413056E9  Ack: 0xFEE647  Win: 0x2238  TcpLen: 20

[**] [1:1156:1] kali02 WEB-MISC apache DOS attempt [**]
[Classification: Attempted Denial of Service] [Priority: 2]
02/15-12:00:50.818998 66.152.253.218:8766 -> 204.156.78.54:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1488
***AP*** Seq: 0xCFB92E7B  Ack: 0xBFAA136C  Win: 0x2238  TcpLen: 20

[**] [1:257:1] kali02 DNS named version attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
02/15-12:04:13.301887 216.103.54.218:5362 -> 204.156.78.9:53
UDP TTL:51 TOS:0x0 ID:32696 IpLen:20 DgmLen:58
Len: 38

And this is what I get when I replay the binary log at the sensor (same result when I do it at the management console)


(the standard happy snort initializing statements)
[**] [1:255:2] kali02 DNS zone transfer [**]
[Classification: Attempted Information Leak] [Priority: 2]
02/15-11:41:05.503693 213.64.252.16:12757 -> 204.235.196.33:53
TCP TTL:46 TOS:0x0 ID:48938 IpLen:20 DgmLen:79 DF
***AP*** Seq: 0x2A72161A  Ack: 0xA929BCC8  Win: 0x43E0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 162876894 3188175439 

[**] [1:257:1] kali02 DNS named version attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
02/15-11:59:21.133693 216.103.54.218:4486 -> 204.156.78.154:53
UDP TTL:51 TOS:0x0 ID:27808 IpLen:20 DgmLen:58
Len: 38

[**] [1:257:1] kali02 DNS named version attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
02/15-12:04:13.301887 216.103.54.218:5362 -> 204.156.78.9:53
UDP TTL:51 TOS:0x0 ID:32696 IpLen:20 DgmLen:58
Len: 38

I noticed that all of the missing entries had the TOS field set to 0x10  QoS???

When I process the snort binary log with tcpdump, this is a sample of what I see
11:35:06.983693 0:0:0:0:0:0 > 0:0:0:0:0:0 sap 00 I (s=0,r=0,C) len=1488
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
<snip>
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 4745
                         5420 2f64 6566 6175 6c74 2e69 6461 3f4e
                         4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e
                         4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e
                         4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e
<snip>
                         81f9 5045 0000 0f85 7901 0000 8b95 58fe
                         ffff 8b42 3c8b 8d58 feff ff8b 5401 7803
                         9558 feff ff89 9554 feff ff8b 8554 feff
11:41:05.503693 213.64.252.16.12757 > 204.235.196.33.53: P 712119834:712119861(27) ack 2838084808 win 17376 
<nop,nop,timestamp 162876894 3188175439> (DF) (ttl 46, id 48938)
11:55:14.963693 0:0:0:0:0:0 > 0:0:0:0:0:0 sap 00 I (s=0,r=0,C) len=1500
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
etc.

It appears to be a problem with libpcap, but I can't figure out what I've done wrong.  After beating my head against 
this for a week it's getting flat.  Please take 2 drinks, flame me if necessary (the cost of learning), but anything 
you could suggest to get this working would be appreciated.

TIA,
Gammon


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: