Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Unified2 output without Details like TTL, Win Size

From: <fabio.hufschmid () post ch>
Date: Wed, 3 Apr 2013 10:11:06 +0000
Hi,

I have a big problem. I renew your old snort infrastructure.
This is the setup:
Snort Sensor [unified2]->barnyard2 [output log_syslog_full]->Splunk
[Output format]

I show the content of the unified2 with u2spewfoo before I feed in to barnyard2. I see, there are not all information 
that are in the output alert.full.
In the unified2 I miss this information:
TCP TTL:62 TOS:0x0 ID:65250 IpLen:20 DgmLen:62 DF
***AP*** Seq: 0xD5A75D01  Ack: 0xEF97F853  Win: 0x73  TcpLen: 32
TCP Options (3) => NOP NOP TS: 4230522403 429387143

I thought, that in unified2 format are all information and I can output with barnyard2 to syslog.
We need the information from alert.full with the payload that triggers the signature. How can I do that?


More Details and the difference from different snort outputs:

output unified2: filename /appl/sec/log/unified2.log, limit 128

(Event)
        sensor id: 0    event id: 4     event second: 1364982585        event microsecond: 817676
        sig id: 4       gen id: 128     revision: 1      classification: 25
        priority: 2     ip source: xxx.xxx.xxx.xxx ip destination: yyy.yyy.yyy.yyy
        src port: 40411 dest port: 22   protocol: 6     impact_flag: 0  blocked: 0

Packet
        sensor id: 0    event id: 4     event second: 1364982585
        packet second: 1364982585       packet microsecond: 817676
        linktype: 1     packet_length: 75
[    0] 00 22 64 FA 3A A6 00 1A E3 15 D0 00 08 00 45 00  ."d.:.........E.
[   16] 00 3D CE 06 40 00 3E 06 E5 57 AC 1B 21 21 AC 15  .=..@.>..W..!!..
[   32] 10 0B 9D DB 00 16 B6 C4 56 F0 36 93 78 28 80 18  ........V.6.x(..
[   48] 00 73 6A 59 00 00 01 01 08 0A FC 34 9A 59 19 A3  .sjY.......4.Y..
[   64] E2 94 61 73 64 66 61 73 64 0D 0A                 ..asdfasd..


output alert_full: /appl/sec/log/alert.full

[**] [128:4:1] (spp_ssh) Protocol mismatch [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2]
04/03-11:49:45.817676 xxx.xxx.xxx.xxx:40411 -> yyy.yyy.yyy.yyy:22
TCP TTL:62 TOS:0x0 ID:52742 IpLen:20 DgmLen:61 DF
***AP*** Seq: 0xB6C456F0  Ack: 0x36937828  Win: 0x73  TcpLen: 32
TCP Options (3) => NOP NOP TS: 4231305817 430170772

Thx Neo


------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: