Snort mailing list archives
Re: Unified2 logging bug in snort 2.9.4 (Build 40)
From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Wed, 13 Mar 2013 18:27:33 -0400
Thank you for reporting this issue. We did recently fix an issue similar to this. If you send us your pcap and conf, we can confirm that it is the same issue. On Wed, Mar 13, 2013 at 9:25 AM, <elof () sentor se> wrote:
Hi! I found a bug in my snort (Version 2.9.4 GRE (Build 40)) and wonder if you need more data about it, or if it is already reported or being fixed. I don't want to waste lots of hours creating a bug report for something that is already known... :-) Issue: snort don't always log the event packet data to unified2, only the event itself. Example: snort.conf:output unified2: filename snort.unified2 snort.conf:output alert_fast: snort.alert Snort logs all events to both snort.alert (ascii) and to unified2. * I start snort (no logfiles exists prior to this) * 9 events are triggered * I terminate snort snort.alert show these 9 lines: 1 03/12/13-18:29:02.090781 [**] [1:2008066:6] <mon0> ET USER_AGENTS Suspicious Blank User-Agent (descriptor but no string) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.100.3.139:57261 -> 10.23.16.22:80 2 03/12/13-18:30:05.160641 [**] [1:2008066:6] <mon0> ET USER_AGENTS Suspicious Blank User-Agent (descriptor but no string) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 212.188.183.73:56842 -> 193.189.143.34:80 3 03/12/13-18:30:05.160515 [**] [1:2008066:6] <mon0> ET USER_AGENTS Suspicious Blank User-Agent (descriptor but no string) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.100.3.139:57168 -> 193.189.143.34:80 4 03/12/13-18:31:05.167982 [**] [1:2008066:6] <mon0> ET USER_AGENTS Suspicious Blank User-Agent (descriptor but no string) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 212.188.183.73:56842 -> 193.189.143.34:80 5 03/12/13-18:31:05.167859 [**] [1:2008066:6] <mon0> ET USER_AGENTS Suspicious Blank User-Agent (descriptor but no string) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.100.3.139:57168 -> 193.189.143.34:80 6 03/12/13-18:32:05.176776 [**] [1:2008066:6] <mon0> ET USER_AGENTS Suspicious Blank User-Agent (descriptor but no string) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 212.188.183.73:56842 -> 193.189.143.34:80 7 03/12/13-18:32:05.176652 [**] [1:2008066:6] <mon0> ET USER_AGENTS Suspicious Blank User-Agent (descriptor but no string) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.100.3.139:57168 -> 193.189.143.34:80 8 03/12/13-18:35:05.226355 [**] [1:2008066:6] <mon0> ET USER_AGENTS Suspicious Blank User-Agent (descriptor but no string) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 212.188.183.73:60351 -> 193.189.143.34:80 9 03/12/13-18:35:05.226230 [**] [1:2008066:6] <mon0> ET USER_AGENTS Suspicious Blank User-Agent (descriptor but no string) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.100.3.139:57388 -> 193.189.143.34:80 'u2spewfoo snort.unified2.1363109305' show this in the unified2 file: (Event) sensor id: 0 event id: 1 event second: 1363109342 event microsecond: 90781 sig id: 2008066 gen id: 1 revision: 6 classification: 21 priority: 1 ip source: 10.100.3.139 ip destination: 10.23.16.22 src port: 57261 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 1 event second: 1363109342 packet second: 1363109342 packet microsecond: 90781 linktype: 1 packet_length: 415 [ 0] 00 00 5E 00 01 10 3C D9 2B 6A 5D 60 08 00 45 00 ..^...<.+j]`..E. [ 16] 01 91 18 7C 40 00 80 06 B8 CF 0A 64 03 8B 0A 17 ...|@......d.... [ 32] 10 16 DF AD 00 50 91 5B 61 9C D4 A9 E5 7A 50 18 .....P.[a....zP. [ 48] 01 04 08 2D 00 00 47 45 54 20 2F 67 6F 2F 68 6F ...-..GET /go/ho [ 64] 6D 65 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 me HTTP/1.1..Hos ...snip... (Event) sensor id: 0 event id: 2 event second: 1363109405 event microsecond: 160641 sig id: 2008066 gen id: 1 revision: 6 classification: 21 priority: 1 ip source: 212.188.183.73 ip destination: 193.189.143.34 src port: 56842 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 (Event) sensor id: 0 event id: 3 event second: 1363109405 event microsecond: 160515 sig id: 2008066 gen id: 1 revision: 6 classification: 21 priority: 1 ip source: 10.100.3.139 ip destination: 193.189.143.34 src port: 57168 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 (Event) sensor id: 0 event id: 4 event second: 1363109465 event microsecond: 167982 sig id: 2008066 gen id: 1 revision: 6 classification: 21 priority: 1 ip source: 212.188.183.73 ip destination: 193.189.143.34 src port: 56842 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 (Event) sensor id: 0 event id: 5 event second: 1363109465 event microsecond: 167859 sig id: 2008066 gen id: 1 revision: 6 classification: 21 priority: 1 ip source: 10.100.3.139 ip destination: 193.189.143.34 src port: 57168 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 (Event) sensor id: 0 event id: 6 event second: 1363109525 event microsecond: 176776 sig id: 2008066 gen id: 1 revision: 6 classification: 21 priority: 1 ip source: 212.188.183.73 ip destination: 193.189.143.34 src port: 56842 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 (Event) sensor id: 0 event id: 7 event second: 1363109525 event microsecond: 176652 sig id: 2008066 gen id: 1 revision: 6 classification: 21 priority: 1 ip source: 10.100.3.139 ip destination: 193.189.143.34 src port: 57168 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 (Event) sensor id: 0 event id: 8 event second: 1363109705 event microsecond: 226355 sig id: 2008066 gen id: 1 revision: 6 classification: 21 priority: 1 ip source: 212.188.183.73 ip destination: 193.189.143.34 src port: 60351 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 8 event second: 1363109705 packet second: 1363109705 packet microsecond: 226355 linktype: 1 packet_length: 1066 [ 0] 00 00 0C 07 AC 01 90 E2 BA 1A 4B 98 08 00 45 00 ..........K...E. [ 16] 04 1C 26 5B 40 00 7F 06 F4 9A D4 BC B7 49 C1 BD ..&[@........I.. [ 32] 8F 22 EB BF 00 50 36 9D 09 53 4E FC 08 31 50 18 ."...P6..SN..1P. [ 48] 01 00 57 3E 00 00 50 4F 53 54 20 2F 61 70 69 2F ..W>..POST /api/ ...snip... (Event) sensor id: 0 event id: 9 event second: 1363109705 event microsecond: 226230 sig id: 2008066 gen id: 1 revision: 6 classification: 21 priority: 1 ip source: 10.100.3.139 ip destination: 193.189.143.34 src port: 57388 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 Packet sensor id: 0 event id: 9 event second: 1363109705 packet second: 1363109705 packet microsecond: 226230 linktype: 1 packet_length: 1066 [ 0] 00 00 5E 00 01 10 3C D9 2B 6A 5D 60 08 00 45 00 ..^...<.+j]`..E. [ 16] 04 1C 26 5B 40 00 80 06 71 B2 0A 64 03 8B C1 BD ..&[@...q..d.... [ 32] 8F 22 E0 2C 00 50 36 9D 09 53 4E FC 08 31 50 18 .".,.P6..SN..1P. [ 48] 01 00 E0 E8 00 00 50 4F 53 54 20 2F 61 70 69 2F ......POST /api/ ...snip... Where did the packet data for events 2-7 go??? In event 1, 8 and 9 the packet data is logged correctly but events 2-7 have no packet data logged even though it is the same signature that trigger. Strange! Having a snort that don't log security events properly is quite bad... A 'MAJOR' bug imho. Anyhow, this happen a few times every day, but not in such a manner that I can easily tcpdump the traffic and create a test-pcap. /Elof
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Unified2 logging bug in snort 2.9.4 (Build 40) elof (Mar 13)
- Re: Unified2 logging bug in snort 2.9.4 (Build 40) Bhagya Bantwal (Mar 13)
- Re: Unified2 logging bug in snort 2.9.4 (Build 40) elof (Mar 15)
- Re: Unified2 logging bug in snort elof (Mar 19)
- Re: Unified2 logging bug in snort elof (Mar 23)
- Re: Unified2 logging bug in snort 2.9.4 (Build 40) elof (Mar 15)
- Re: Unified2 logging bug in snort 2.9.4 (Build 40) Bhagya Bantwal (Mar 13)