Snort mailing list archives
Re: snort is logging alerts but not capturing corresponding packets for some rules
From: "Lay, James" <james.lay () wincofoods com>
Date: Tue, 26 Apr 2011 12:54:17 -0600
LoL...the one time I think I find a real bug and it's by design ;) Looks like I have some reading to do then. What alerts are and are not passed to the pcap file then? What kind of alerts are pseudo packet? Thanks again Joel for all your help...hope it wasn't a big waste of time. James From: Joel Esler [mailto:jesler () sourcefire com] Sent: Tuesday, April 26, 2011 11:31 AM To: Lay, James Cc: Jason Brvenik; snort-users () lists sourceforge net Subject: Re: [Snort-users] snort is logging alerts but not capturing corresponding packets for some rules Actually, Jason is right. The alert is generated on the pseudo packet, this is correct functionality, so I've closed the bug. So, James, using the pcap you gave me, I'll get rid of the IPs in the cut and paste here, but I'll make BOLD the line that indicates that the alert is actually on the pseudo packet, and not the individual packet. snort -c snort.conf -r missed.pcap -A cmg -q 04/26-10:37:43.307954 [**] [1:12280:3] WEB-CLIENT Microsoft Internet Explorer VML source file memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} x.x.x.x:80 -> x.x.x.x:31390 Stream reassembled packet Above, where is says "Stream reassembled packet" is your indication that the alert was not in fact on one packet, but on the reassembly of the packets. We call this the pseudo packet. If you output from Snort in Unified format, you have access to these packets. J On Tue, Apr 26, 2011 at 1:09 PM, Lay, James <james.lay () wincofoods com> wrote: Thanks for the response Jason...I ended up working with Joel on this and he has put in a bug fix. Thanks again. James From: Jason Brvenik [mailto:jbrvenik () sourcefire com] Sent: Monday, April 25, 2011 5:14 PM To: Lay, James; Kumar, Mahendra Subject: Re: [Snort-users] snort is logging alerts but not capturing corresponding packets for some rules I would suspect that the event fires on pseudo packets, reassembled or normalized traffic. Can you enable unified2 and see if it is also missing there. On Apr 25, 2011 6:58 PM, "Lay, James" <james.lay () wincofoods com> wrote:
From: Kumar, Mahendra [mailto:mkumar () intacct com] Sent: Monday, April 25, 2011 3:50 PM To: snort-users () lists sourceforge net Subject: [Snort-users] snort is logging alerts but not capturing corresponding packets for some rules Hi, I am using snort-2.9.0.5 with daq-0.5-9 and libpcap1-1.1.1-9 on Centos 5.5 (x86_64). I am not using any other thing like unified2, base, barnyard, mysql etc. My snort is working properly and I am getting alerts and packet
captures
in snort.log in tcpdump format. But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged
but
there is no packet capture in snort.log and it is very consistent behavior, i.e. I will never get packet captures for some of the rules but will always get alert so it is not a packet drop problem. It seems to be a config issue where the alert is logged but no packet captures. Please help me resolve this issue. Thanks, MK Welcome to my world...I've submitted this exact same item a few times....seems to be a mystery. I have snort boxes in a few different sites on a few different OS's....same thing though...I get the alert
in
the .fast file, but certain things just do not log to the pcap. I've had to work around this with full web traffic packet captures. The machines aren't even close to maxing CPU or memory, but the problem still persists. If anyone has some advice I'd love to hear it. James
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: snort is logging alerts but not capturing corresponding packets for some rules Lay, James (Apr 25)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 25)
- Re: snort is logging alerts but not capturing corresponding packets for some rules James Lay (Apr 25)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 25)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 26)
- Re: snort is logging alerts but not capturing corresponding packets for some rules James Lay (Apr 25)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 25)
- Message not available
- Message not available
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 26)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Lay, James (Apr 26)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 26)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Lay, James (Apr 26)
- Re: snort is logging alerts but not capturing corresponding packets for some rules waldo kitty (Apr 27)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 27)
- Message not available
- Re: snort is logging alerts but not capturing corresponding packets for some rules Agustin Roca (May 01)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 26)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Kumar, Mahendra (Apr 26)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Joel Esler (Apr 26)
- Re: snort is logging alerts but not capturing corresponding packets for some rules Jason Brvenik (May 01)