Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Unified2 Format skip packet entry.

From: "Andrew V. Stepanov" <stanv () altlinux org>
Date: Thu, 22 Jan 2015 15:04:20 +0300
Hello.

Snort version: snort-2.9.7.0

Compleat chain looks like:

snort -> unified2 log -> barnyard2 -> sguilt output plugin -> sguilt 
sensor snort_agent.tcl -> sguild -> MySQL -> squert

All works great.

But sometimes sguilt output plugin goes down with next message:

Bad Event! List length != 46.
0 1 91372 stanvsensor 27370 27370 {2015-01-20 16:11:30} 1 30795 1 
{MALWARE-CNC Win.Trojan.Mudrop variant outbound connection} {2015-01-20 
16:11:30} 1 trojan-activity 522821732 31.41.160.100 1186628468 
70.186.131.116 6 {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} 
{} {} {} {} {} {} {} {}
len = 45

Have digged into the depth I found that Unified2 file log for event 
27370 does not have Packet entry.


27370 -- Event ID

~/u2spewfoo snort.u2.1421761511

look for  27370

(Event)
         sensor id: 0    event id: 27370 event second: 1421770290 
  event microsecond: 679944
         sig id: 30795   gen id: 1       revision: 1      classification: 21
         priority: 1     ip source: 31.41.160.100        ip destination: 
70.186.131.116
         src port: 49209 dest port: 80   protocol: 6     impact_flag: 0 
  blocked: 0
         mpls label: 0   vland id: 0     policy id: 0

(Event)
         sensor id: 0    event id: 27371 event second: 1421770395 
  event microsecond: 320932
         sig id: 28039   gen id: 1       revision: 4      classification: 21
         priority: 1     ip source: 92.211.58.242        ip destination: 
31.41.165.55
         src port: 62104 dest port: 53   protocol: 17    impact_flag: 0 
  blocked: 0
         mpls label: 0   vland id: 0     policy id: 0

Packet
         sensor id: 0    event id: 27371 event second: 1421770395
         packet second: 1421770395       packet microsecond: 320932
         linktype: 1     packet_length: 94
[    0] 00 15 17 BD 97 29 00 15 17 D3 76 63 08 00 45 00  .....)....vc..E.
[   16] 00 50 F1 3A 40 00 EE 11 3F 3C 5C D3 3A F2 1F 29  .P.:@...?<\.:..)
[   32] A5 37 F2 98 00 35 00 3C B2 58 F1 3A 01 00 00 01  .7...5.<.X.:....
[   48] 00 00 00 00 00 00 09 67 68 72 67 71 77 6F 66 78  .......ghrgqwofx
[   64] 03 77 77 77 07 67 61 6D 65 34 39 39 03 63 6F 6D  .www.game499.com
[   80] 05 70 6F 73 71 64 02 70 77 00 00 01 00 01        .posqd.pw.....

(Event)
....


Lack of package entry 
http://manual.snort.org/node44.html#SECTION00632000000000000000


u2log : event-package-event-package-event--event-package



So my question.... who is guilty ? SNORT skipping package entry at log 
or SGUILT SENSOR faulting for absent package entry?


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: