Snort mailing list archives

Re: missing pcaps for alerts

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 21 Jun 2012 20:24:06 -0400

Okay.  Now I understand.  Yes, some logging changes were made that have
been fixed over the past couple of versions.

The next version (coming soon) is 2.9.3.0, where the problem should be
completely fixed.

On Thu, Jun 21, 2012 at 8:19 PM, John Ives <jives () security berkeley edu>wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


My mistake, you would probably have to go back to the original
messages in the thread to understand.

The problem is that when I run anything past 2.9.1.0 the packets that
caused some alerts (and it is consistent for some signatures) are not
recorded in the tcpdump file. When I have used the unified2 format
sometimes the packets appear in the merge file, but not always. This
has happened using snort on FreeBSD with the snort coming from both
ports and hand installed and on RHEL 6.

Since I use a gigamon to replicate the traffic I can run two copies of
snort on two different boxes and with the same traffic and rules and
compare the results. I have tried several upgrades past 2.9.1.0 now
and this seems to happen consistently. The signatures that have
problems have been both VRT and ET sigs.

John

On 6/21/2012 5:08 PM, Joel Esler wrote:

John,

I've read your email three times and i am still not sure what you
are asking.  I'd love to help.

On Thu, Jun 21, 2012 at 5:29 PM, John Ives
<jives () security berkeley edu>wrote:

I know its been 8 months, but I have been able to limp along using
2.9.1.0 (though my VRT subscription has been getting wasted for a
while), so I haven't pressed this issue, but its now reaching the
point where its becoming a real pain.

Additionally, in an effort to see if this was a FreeBSD specific
problem brought up a RHEL 6 box with a very basic snort
installation (configure; make; make install) and tried testing
again with the latest version but still get the same problem.  I
have just added the unified2 output to the snort.conf, and have
seen some events (so far I have found it with sid 1201) in just
that last few minutes where the packet appeared in the unified2
file and not in the pcap.

Any idea what is happening?

John

On 10/25/2011 2:05 PM, John Ives wrote:

Any word on when devel will be able look into this.  Unlike
my reading of Eoin's problem, the traffic doesn't appear in
the unified2 file either (I originally thought it did but
upon further investigation I am not seeing it in either the
pcap or the unified2 files).

I have tried upgrading to 2.9.1.2 hoping that would fix the
problem. At this point I am probably going to need to revert
to 2.9.1.0 (which worked) to get everything working
properly.

Yours,

John

On 10/20/2011 10:50 AM, Joel Esler wrote:

Devel is going to look into this, however, they are busy
with two big things right now, and when they complete that,
I'm sure they'll chime in with some needs to test this
out.

Thanks

-- Joel Esler Senior Research Engineer, VRT OpenSource
Community Manager Sourcefire

On Oct 20, 2011, at 1:40 PM, Eoin Miller wrote:

Hey Joel,


I've been noticing this for a while but kept forgetting
to get around to looking into it more in depth, I figured
it was barnyard2 having an issue, but it does appear to
be snorts logging output. If multiple alerts are firing
on the same frame, Snort doesn't seem to re-log the frame
correctly for multiple alerts:

If we have a test set of 3 rules like below: alert tcp
any any -> any any (msg:"MZ 1"; file_data; content:"MZ";
within:2; sid:1; rev:1;) alert tcp any any -> any any
(msg:"MZ 2"; file_data; content:"MZ"; within:2; sid:2;
rev:1;) alert tcp any any -> any any (msg:"MZ 3";
file_data; content:"MZ"; within:2; sid:3; rev:1;)

Now we run them against a PCAP of a user downloading an
executable file, it alerts 3 times as expected in our
fast alert output log. However, in the unified2 log, we
have the following at the beginning of the file when we
run the u2spewfoo binary against it:

---BEGIN--- (Event) sensor id: 0    event id: 1
event second: 1319130108        event microsecond: 745191
sig id: 3 gen id: 1       revision: 1
classification: 0 priority: 0 ip source: 71.191.147.210
ip destination: 10.181.188.73 src port: 80    dest port:
64916        protocol: 6 impact_flag: 0 blocked: 0

Packet sensor id: 0    event id: 1     event second:
1319130108 packet second: 1319130108       packet
microsecond: 745191 linktype: 1     packet_length: 1514
00 00 5E 00 01 02 00 10 DB FF 26 00 08 00 45 00
..^.......&...E. 05 DC 28 A0 40 00 38 06 71 EC 47 BF 93
D2 0A B5  ..(.@.8.q.G..... BC 49 00 50 FD 94 2E 8F 54 A2
FC 56 2E AC 50 10  .I.P....T..V..P. 00 6C C1 9A 00 00 48
54 54 50 2F 31 2E 31 20 32  .l....HTTP/1.1 2 30 30 20 4F
4B 0D 0A 44 61 74 65 3A 20 54 68 75  00 OK..Date: Thu 2C
20 32 30 20 4F 63 74 20 32 30 31 31 20 31 37  , 20 Oct
2011 17 3A 31 34 3A 30 39 20 47 4D 54 0D 0A 53 65 72 76
:14:09 GMT..Serv 65 72 3A 20 41 70 61 63 68 65 2F 32 2E
32 2E 31  er: Apache/2.2.1 34 20 28 55 62 75 6E 74 75 29
0D 0A 4C 61 73 74  4 (Ubuntu)..Last 2D 4D 6F 64 69 66 69
65 64 3A 20 54 68 75 2C 20  -Modified: Thu, 31 38 20 41
75 67 20 32 30 31 31 20 30 30 3A 34  18 Aug 2011 00:4 32
3A 31 33 20 47 4D 54 0D 0A 45 54 61 67 3A 20  2:13
GMT..ETag: 22 31 38 36 36 30 33 2D 34 30 65 30 30 2D 34
61 "186603-40e00-4a 61 62 63 65 32 34 37 30 32 37 66 22
0D 0A 41 63  abce247027f"..Ac 63 65 70 74 2D 52 61 6E 67
65 73 3A 20 62 79 74  cept-Ranges: byt 65 73 0D 0A 43 6F
6E 74 65 6E 74 2D 4C 65 6E 67  es..Content-Leng 74 68 3A
20 32 36 35 37 32 38 0D 0A 4B 65 65 70  th: 265728..Keep
2D 41 6C 69 76 65 3A 20 74 69 6D 65 6F 75 74 3D  -Alive:
timeout= 31 35 2C 20 6D 61 78 3D 31 30 30 0D 0A 43 6F 6E
15, max=100..Con 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70
2D 41 6C  nection: Keep-Al 69 76 65 0D 0A 43 6F 6E 74 65
6E 74 2D 54 79 70  ive..Content-Typ 65 3A 20 61 70 70 6C
69 63 61 74 69 6F 6E 2F 78  e: application/x 2D 6D 73 64
6F 73 2D 70 72 6F 67 72 61 6D 0D 0A  -msdos-program.. 0D
0A 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF
..MZ............ 00 00 B8 00 00 00 00 00 00 00 40 00 00
00 00 00  ..........@..... 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00  ................ 00 00 00 00 00 00 00
00 00 00 00 00 00 00 D8 00  ................ 00 00 0E 1F
BA 0E 00 B4 09 CD 21 B8 01 4C CD 21  ..........!..L.! 54
68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E  This
program can 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44
4F  not be run in DO 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00
00 00 00 00  S mode....$..... ---SNIP---



After this alert and packet, there are 11 more
subsequent packets logged. However, the other two events
have NO packets with them as we can see below from the
end of the output:


---SNIP--- E0 8B 00 85 C0 74 02 FF D0 83 45 E0 04 EB E6
C7 .....t....E..... 45 FC FE FF FF FF E8 20 00 00 E......
..

(Event) sensor id: 0    event id: 2     event second:
1319130108 event microsecond: 745191 sig id: 2       gen
id: 1 revision: 1      classification: 0 priority: 0
ip source: 71.191.147.210       ip destination:
10.181.188.73 src port: 80 dest port: 64916
protocol: 6     impact_flag: 0 blocked: 0

(Event) sensor id: 0    event id: 3     event second:
1319130108 event microsecond: 745191 sig id: 1       gen
id: 1 revision: 1      classification: 0 priority: 0
ip source: 71.191.147.210       ip destination:
10.181.188.73 src port: 80 dest port: 64916
protocol: 6     impact_flag: 0 blocked: 0 ---END---


-- Eoin

------------------------------------------------------------------------------

The demand for IT networking professionals continues to grow, and

the

demand for specialized networking skills is growing even
more rapidly. Take a complimentary Learning@Cisco
Self-Assessment and learn about Cisco certifications,
training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev

_______________________________________________
Snort-users mailing list Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all
the latest Snort news!

------------------------------------------------------------------------------

The demand for IT networking professionals continues to grow, and the

demand for specialized networking skills is growing even
more rapidly. Take a complimentary Learning@Cisco
Self-Assessment and learn about Cisco certifications,
training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________ Snort-users
mailing list Snort-users () lists sourceforge net Go to this URL
to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all
the latest Snort news!

------------------------------------------------------------------------------

Live Security Virtual Conference

Exclusive live event will cover all the ways today's security
and threat landscape has changed and how IT managers can respond.
Discussions will include endpoint security, mobile security and
the latest in malware threats.
http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users
mailing list Snort-users () lists sourceforge net Go to this URL to
change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the
latest Snort news!


- --
- -------------------------------------------------------------------------
John Ives
System & Network Security                           Phone (510) 229-8676
University of California, Berkeley
- -------------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP47oRAAoJEJkidK6qbywsYs8H/AnmKDG0bKUTYpeAFGGHkTAC
MDuXdcbWxWZ506XSqCKNtivKCOTrsEHGeUyx+wcsu9xUZ7REUYFGskBA4HnDwRSl
/TbQWtCcd/kbcLlljkG718494lU3d8fNVDAEg+CfxkuOXPWc9IEP3SDGM7q8wJxl
j1poa+BdCUADdg5Eo8WlhmFBroVcjVuA6/JevAzOjNZ6chc3iGDyvrHk16+7M3uE
44Plgt2FpzDaHo6fyT9AU8FSzUwhePi/kw4NS4Cb8CyeX+Uq902uZFi6VzjECKJj
Qtq6OA2IH/fgsC1VrtCPoROf0aA1w/Z1le1b4dp8iy2Se2BPzNPzEveplWOv9A4=
=cdge
-----END PGP SIGNATURE-----




-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: missing pcaps for alerts John Ives (Jun 21)
- Re: missing pcaps for alerts Joel Esler (Jun 21)
  - Re: missing pcaps for alerts John Ives (Jun 21)
    - Re: missing pcaps for alerts Joel Esler (Jun 21)