Snort mailing list archives
Some packets logging packet data
From: James Lay <jlay () slave-tothe-box net>
Date: Sat, 19 Nov 2011 08:35:38 -0700
Topic says it.it's very odd:
From alert.fast:
11/18-17:30:16.073705 [**] [138:2:1] SENSITIVE-DATA Credit Card Numbers [**] [Classification: Sensitive Data was Transmitted Across the Network] [Priority: 2] {TCP} 10.0.0.6:58570 -> <snip>:25
From the unified2 file:
(Event) sensor id: 0 event id: 1083 event second: 1321662616 event microsecond: 73705 sig id: 2 gen id: 138 revision: 1 classification: 35 priority: 2 ip source: 10.0.0.6 ip destination: <snip> src port: 58570 dest port: 25 protocol: 6 impact_flag: 0 blocked: 0 There is no data in the tcpdump file. Another example:
From the alert.fastinterestingly this entry appears in between an entry
with timestamps of 17:30:28 and 17:36:08: 11/18-16:09:37.800061 [**] [1:13864:5] POLICY Microsoft Watson error reporting attempt [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 10.0.0.164:62377 -> <snip>:80
From the unified2 file:
(Event) sensor id: 0 event id: 1085 event second: 1321657777 event microsecond: 800061 sig id: 13864 gen id: 1 revision: 5 classification: 33 priority: 1 ip source: 10.0.0.164 ip destination: 65.55.53.190 src port: 62377 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 Nothing in the tcpdump file. At first I thought it was a pre_proc issue, but now I'm not sure.both of these events just.have no packet data associated with them. Any thoughts? Thank you. James Relevant snort.conf items: output alert_syslog: LOG_AUTH LOG_ALERT output log_tcpdump: tcpdump.log output alert_fast: snortalert.fast output unified2: filename unified
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Some packets logging packet data James Lay (Nov 19)
- Re: Some alerts not logging packet data James Lay (Nov 23)
- Re: Some alerts not logging packet data James Lay (Nov 30)
- Re: Some alerts not logging packet data James Lay (Nov 23)