Snort mailing list archives
odd data in -b log -- cant -r without losing alerts
From: Mcclure Gammon <gammon.mcclure () volvo com>
Date: Thu, 21 Feb 2002 16:08:55 +0100
Hi all, Forgive the long post, but I'm a Snort/Redhat 7.2 newbie and could use some help. Trying to run Snort-stable (1.8.3 b88) on Redhat 7.2 with Redhat libpcap 0.6.2. modules.conf has entry for "alias net-pf-17 af_packet" I'm logging with the following command line: snort -b -d -A full -L snort.log -c /usr/local/etc/snort.conf After collecting some alerts, I kill -15 the process. Now comes the problem: I want to pull the binary dump back to my console for analysis (mysql/ACID), but replaying the log file creates weird results, like 2/3 of the alerts disappear. These are the original alerts recorded at the sensor in the alert log: [**] [1:1243:2] kali02 WEB-IIS ISAPI .ida attempt [**] [Classification: Web Application Attack] [Priority: 1] 02/15-11:35:06.983693 206.247.193.14:2341 -> 204.156.78.54:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1492 ***AP*** Seq: 0x1FFCAE67 Ack: 0x1571D86F Win: 0x2798 TcpLen: 20 [**] [1:255:2] kali02 DNS zone transfer [**] [Classification: Attempted Information Leak] [Priority: 2] 02/15-11:41:05.503693 213.64.252.16:12757 -> 204.235.196.33:53 TCP TTL:46 TOS:0x0 ID:48938 IpLen:20 DgmLen:79 DF ***AP*** Seq: 0x2A72161A Ack: 0xA929BCC8 Win: 0x43E0 TcpLen: 32 [**] [1:1243:2] kali02 WEB-IIS ISAPI .ida attempt [**] [Classification: Web Application Attack] [Priority: 1] 02/15-11:55:14.963693 65.35.223.4:1905 -> 204.156.78.54:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1504 ***AP*** Seq: 0xCBA3C9B0 Ack: 0x9FF0DE26 Win: 0x2238 TcpLen: 20 [**] [1:257:1] kali02 DNS named version attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 02/15-11:59:21.133693 216.103.54.218:4486 -> 204.156.78.154:53 UDP TTL:51 TOS:0x0 ID:27808 IpLen:20 DgmLen:58 Len: 38 [**] [1:1156:1] kali02 WEB-MISC apache DOS attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] 02/15-11:59:56.443693 216.201.7.10:1234 -> 204.156.78.54:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1500 ***AP*** Seq: 0x4049B612 Ack: 0xFE1562 Win: 0x2238 TcpLen: 20 [**] [1:1156:1] kali02 WEB-MISC apache DOS attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] 02/15-12:00:49.868523 216.201.7.10:1235 -> 204.156.78.54:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1500 ***AP*** Seq: 0x413056E9 Ack: 0xFEE647 Win: 0x2238 TcpLen: 20 [**] [1:1156:1] kali02 WEB-MISC apache DOS attempt [**] [Classification: Attempted Denial of Service] [Priority: 2] 02/15-12:00:50.818998 66.152.253.218:8766 -> 204.156.78.54:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1488 ***AP*** Seq: 0xCFB92E7B Ack: 0xBFAA136C Win: 0x2238 TcpLen: 20 [**] [1:257:1] kali02 DNS named version attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 02/15-12:04:13.301887 216.103.54.218:5362 -> 204.156.78.9:53 UDP TTL:51 TOS:0x0 ID:32696 IpLen:20 DgmLen:58 Len: 38 And this is what I get when I replay the binary log at the sensor (same result when I do it at the management console) (the standard happy snort initializing statements) [**] [1:255:2] kali02 DNS zone transfer [**] [Classification: Attempted Information Leak] [Priority: 2] 02/15-11:41:05.503693 213.64.252.16:12757 -> 204.235.196.33:53 TCP TTL:46 TOS:0x0 ID:48938 IpLen:20 DgmLen:79 DF ***AP*** Seq: 0x2A72161A Ack: 0xA929BCC8 Win: 0x43E0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 162876894 3188175439 [**] [1:257:1] kali02 DNS named version attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 02/15-11:59:21.133693 216.103.54.218:4486 -> 204.156.78.154:53 UDP TTL:51 TOS:0x0 ID:27808 IpLen:20 DgmLen:58 Len: 38 [**] [1:257:1] kali02 DNS named version attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 02/15-12:04:13.301887 216.103.54.218:5362 -> 204.156.78.9:53 UDP TTL:51 TOS:0x0 ID:32696 IpLen:20 DgmLen:58 Len: 38 I noticed that all of the missing entries had the TOS field set to 0x10 QoS??? When I process the snort binary log with tcpdump, this is a sample of what I see 11:35:06.983693 0:0:0:0:0:0 > 0:0:0:0:0:0 sap 00 I (s=0,r=0,C) len=1488 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 <snip> 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 4745 5420 2f64 6566 6175 6c74 2e69 6461 3f4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e <snip> 81f9 5045 0000 0f85 7901 0000 8b95 58fe ffff 8b42 3c8b 8d58 feff ff8b 5401 7803 9558 feff ff89 9554 feff ff8b 8554 feff 11:41:05.503693 213.64.252.16.12757 > 204.235.196.33.53: P 712119834:712119861(27) ack 2838084808 win 17376 <nop,nop,timestamp 162876894 3188175439> (DF) (ttl 46, id 48938) 11:55:14.963693 0:0:0:0:0:0 > 0:0:0:0:0:0 sap 00 I (s=0,r=0,C) len=1500 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 etc. It appears to be a problem with libpcap, but I can't figure out what I've done wrong. After beating my head against this for a week it's getting flat. Please take 2 drinks, flame me if necessary (the cost of learning), but anything you could suggest to get this working would be appreciated. TIA, Gammon _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- odd data in -b log -- cant -r without losing alerts Mcclure Gammon (Feb 21)