Snort mailing list archives
Unified2 Format skip packet entry.
From: "Andrew V. Stepanov" <stanv () altlinux org>
Date: Thu, 22 Jan 2015 15:04:20 +0300
Hello. Snort version: snort-2.9.7.0 Compleat chain looks like: snort -> unified2 log -> barnyard2 -> sguilt output plugin -> sguilt sensor snort_agent.tcl -> sguild -> MySQL -> squert All works great. But sometimes sguilt output plugin goes down with next message: Bad Event! List length != 46. 0 1 91372 stanvsensor 27370 27370 {2015-01-20 16:11:30} 1 30795 1 {MALWARE-CNC Win.Trojan.Mudrop variant outbound connection} {2015-01-20 16:11:30} 1 trojan-activity 522821732 31.41.160.100 1186628468 70.186.131.116 6 {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} {} len = 45 Have digged into the depth I found that Unified2 file log for event 27370 does not have Packet entry. 27370 -- Event ID ~/u2spewfoo snort.u2.1421761511 look for 27370 (Event) sensor id: 0 event id: 27370 event second: 1421770290 event microsecond: 679944 sig id: 30795 gen id: 1 revision: 1 classification: 21 priority: 1 ip source: 31.41.160.100 ip destination: 70.186.131.116 src port: 49209 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 mpls label: 0 vland id: 0 policy id: 0 (Event) sensor id: 0 event id: 27371 event second: 1421770395 event microsecond: 320932 sig id: 28039 gen id: 1 revision: 4 classification: 21 priority: 1 ip source: 92.211.58.242 ip destination: 31.41.165.55 src port: 62104 dest port: 53 protocol: 17 impact_flag: 0 blocked: 0 mpls label: 0 vland id: 0 policy id: 0 Packet sensor id: 0 event id: 27371 event second: 1421770395 packet second: 1421770395 packet microsecond: 320932 linktype: 1 packet_length: 94 [ 0] 00 15 17 BD 97 29 00 15 17 D3 76 63 08 00 45 00 .....)....vc..E. [ 16] 00 50 F1 3A 40 00 EE 11 3F 3C 5C D3 3A F2 1F 29 .P.:@...?<\.:..) [ 32] A5 37 F2 98 00 35 00 3C B2 58 F1 3A 01 00 00 01 .7...5.<.X.:.... [ 48] 00 00 00 00 00 00 09 67 68 72 67 71 77 6F 66 78 .......ghrgqwofx [ 64] 03 77 77 77 07 67 61 6D 65 34 39 39 03 63 6F 6D .www.game499.com [ 80] 05 70 6F 73 71 64 02 70 77 00 00 01 00 01 .posqd.pw..... (Event) .... Lack of package entry http://manual.snort.org/node44.html#SECTION00632000000000000000 u2log : event-package-event-package-event--event-package So my question.... who is guilty ? SNORT skipping package entry at log or SGUILT SENSOR faulting for absent package entry? ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unified2 Format skip packet entry. Andrew V. Stepanov (Jan 22)