Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Some packets logging packet data

From: James Lay <jlay () slave-tothe-box net>
Date: Sat, 19 Nov 2011 08:35:38 -0700
Topic says itŠ.it's very odd:


From alert.fast:

11/18-17:30:16.073705  [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers
[**] [Classification: Sensitive Data was Transmitted Across the Network]
[Priority: 2] {TCP} 10.0.0.6:58570 -> <snip>:25


From the unified2 file:

(Event)
        sensor id: 0    event id: 1083  event second: 1321662616
event microsecond: 73705
        sig id: 2       gen id: 138     revision: 1      classification: 35
        priority: 2     ip source: 10.0.0.6     ip destination: <snip>
        src port: 58570 dest port: 25   protocol: 6     impact_flag: 0
blocked: 0

There is no data in the tcpdump file.

Another example:

From the alert.fastŠinterestingly this entry appears in between an entry

with timestamps of 17:30:28 and 17:36:08:
11/18-16:09:37.800061  [**] [1:13864:5] POLICY Microsoft Watson error
reporting attempt [**] [Classification: Potential Corporate Privacy
Violation] [Priority: 1] {TCP} 10.0.0.164:62377 -> <snip>:80


From the unified2 file:

(Event)
        sensor id: 0    event id: 1085  event second: 1321657777
event microsecond: 800061
        sig id: 13864   gen id: 1       revision: 5      classification: 33
        priority: 1     ip source: 10.0.0.164   ip destination: 65.55.53.190
        src port: 62377 dest port: 80   protocol: 6     impact_flag: 0
blocked: 0

Nothing in the tcpdump file.

At first I thought it was a pre_proc issue, but now I'm not sureŠ.both of
these events justŠ.have no packet data associated with them.  Any thoughts?
Thank you.

James
















Relevant snort.conf items:

output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: tcpdump.log
output alert_fast: snortalert.fast
output unified2: filename unified





------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: