Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: u2 format differences from 2.9.8.0 to 2.9.8.2

From: Avery Rozar <avery.rozar () insecure-it com>
Date: Sat, 25 Jun 2016 12:22:48 -0400
I did not know that, and no it does not... Thanks for the reply, I guess
it's back to drawing board...

On Sat, Jun 25, 2016 at 12:18 PM, Y M <snort () outlook com> wrote:


Looking at the 2.9.8.2 changelog, I don't see any changes to u2 output
format. There is one addition to Snort though that handles double VLAN
tagging. I am not sure how this would be translated in u2.

You probably know this but In hexdump, the "*" means the same line as
above. If you run hexdump with -v, does the "*" still shows?

YM

Sent from Mobile

_____________________________
From: Avery Rozar <avery.rozar () insecure-it com>
Sent: Saturday, June 25, 2016 6:32 PM
Subject: [Snort-users] u2 format differences from 2.9.8.0 to 2.9.8.2
To: <snort-users () lists sourceforge net>



I've run into some issues with Barnyard2 adding data into my database,
even with appid disabled. Using hexdump to look at the snort.log file, it
seems a bit diffrent in 2.9.8.2 vs 2.9.8.0. I'm curious if there was a
change that is causing Barnyard2 to not fully read the u2 file like it used
to.

I noticed an asterisk (*) between events now. Maybe its just how hexdump
is reading the two diffrent u2 files I'm not sure...

I wrote a python script to parse u2 files back around Snort 2.9.7.6 and it
is now missing all of the "events (Serial Unified2 Header # 104)" when
parsing anything from 2.9.8.2. I can only assume that's also what Barnyard2
is missing. I'm only getting the "Serial Unified2 Header # 2" packets now.

Example:

*Snort 2.9.8.0 hexdump (it's a continuous hexdump)*

00000000  00 00 00 68 00 00 00 3c  00 00 00 00 00 00 00 01
|...h...<........|

00000010  56 df 51 72 00 08 8d 7e  00 00 3f ad 00 00 00 01
|V.Qr...~..?.....|

00000020  00 00 00 0e 00 00 00 09  00 00 00 01 42 3d aa 62
|............B=.b|

00000030  c0 a8 ac 20 00 50 11 91  06 20 00 01 00 00 00 00  |... .P...
......|

00000040  00 00 00 00 00 00 00 02  00 00 05 b6 00 00 00 00
|................|

00000050  00 00 00 01 56 df 51 72  56 df 51 72 00 08 8d 7e
|....V.QrV.Qr...~|

00000060  00 00 00 01 00 00 05 9a  f8 b1 56 3e d7 05 70 e4
|..........V>..p.|

00000070  22 85 6c f7 08 00 45 00  05 8c ac ac 40 00 39 06  |".l...E.....@
.9.|

00000080  36 57 42 3d aa 62 c0 a8  ac 20 00 50 11 91 d4 0c  |6WB=.b...
.P....|

00000090  1f 99 c7 f8 1c 4a 50 10  74 70 40 94 00 00 48 54  |.....JP.tp@
...HT|

000000a0  54 50 2f 31 2e 31 20 32  30 30 20 4f 4b 0d 0a 53  |TP/1.1 200
OK..S|

000000b0  65 72 76 65 72 3a 20 6e  67 69 6e 78 2f 31 2e 36  |erver:
nginx/1.6|

000000c0  2e 32 0d 0a 43 6f 6e 74  65 6e 74 2d 54 79 70 65
|.2..Content-Type|

000000d0  3a 20 61 70 70 6c 69 63  61 74 69 6f 6e 2f 78 2d  |:
application/x-|

000000e0  6a 61 76 61 73 63 72 69  70 74 0d 0a 45 78 70 69
|javascript..Expi|

000000f0  72 65 73 3a 20 57 65 64  2c 20 30 39 20 4d 61 72  |res: Wed, 09
Mar|

00000100  20 32 30 31 36 20 32 33  3a 35 34 3a 34 39 20 47  | 2016
23:54:49 G|

00000110  4d 54 0d 0a 43 61 63 68  65 2d 43 6f 6e 74 72 6f
|MT..Cache-Contro|

00000120  6c 3a 20 6d 61 78 2d 61  67 65 3d 38 36 34 30 30  |l:
max-age=86400|

00000130  0d 0a 43 6f 6e 74 65 6e  74 2d 45 6e 63 6f 64 69
|..Content-Encodi|

00000140  6e 67 3a 20 67 7a 69 70  0d 0a 43 6f 6e 74 65 6e  |ng:
gzip..Conten|

00000150  74 2d 4c 65 6e 67 74 68  3a 20 33 34 31 30 33 0d  |t-Length:
34103.|

00000160  0a 44 61 74 65 3a 20 57  65 64 2c 20 30 39 20 4d  |.Date: Wed,
09 M|

00000170  61 72 20 32 30 31 36 20  30 30 3a 32 37 3a 33 34  |ar 2016
00:27:34|

00000180  20 47 4d 54 0d 0a 43 6f  6e 6e 65 63 74 69 6f 6e  |
GMT..Connection|

00000190  3a 20 6b 65 65 70 2d 61  6c 69 76 65 0d 0a 56 61  |:
keep-alive..Va|

000001a0  72 79 3a 20 41 63 63 65  70 74 2d 45 6e 63 6f 64  |ry:
Accept-Encod|
000001b0  69 6e 67 0d 0a 0d 0a 1f  8b 08 00 00 00 00 00 00
|ing.............|


*Snort 2.9.8.2 (It has the "*" in the file)*

00000000  00 00 00 6f 00 00 00 7c  00 00 00 00 00 00 00 01
|...o...|........|

00000010  57 6e 99 a4 00 0d 69 33  00 0f 42 42 00 00 00 01
|Wn....i3..BB....|

00000020  00 00 00 01 00 00 00 1c  00 00 00 01 ac 1f fe 98
|................|

00000030  ac 1f fb 0a ee 0a 00 50  06 20 00 01 00 00 00 00  |.......P.
......|

00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
|................|

*

00000080  00 00 00 00 00 00 00 02  00 00 02 f5 00 00 00 00
|................|

00000090  00 00 00 01 57 6e 99 a4  57 6e 99 a4 00 0d 69 33
|....Wn..Wn....i3|

000000a0  00 00 00 01 00 00 02 d9  00 50 56 bc 8f 72 d0 d0
|.........PV..r..|

000000b0  fd 27 4e 47 08 00 45 00  02 cb 72 15 40 00 3f 06  |.'NG..E...r.@
.?.|

000000c0  75 35 ac 1f fe 98 ac 1f  fb 0a ee 0a 00 50 18 1c
|u5...........P..|

000000d0  c0 ec 3e 91 d2 23 80 18  10 15 28 3c 00 00 01 01
|..>..#....(<....|

000000e0  08 0a 39 f5 dd 29 71 48  16 ad 47 45 54 20 2f 77  |..9..)qH..GET
/w|

000000f0  70 2d 61 64 6d 69 6e 2f  20 48 54 54 50 2f 31 2e  |p-admin/
HTTP/1.|

00000100  31 0d 0a 48 6f 73 74 3a  20 77 77 77 2e 69 6e 73  |1..Host:
www.ins|

00000110  65 63 75 72 65 2d 69 74  2e 63 6f 6d 0d 0a 43 6f  |ecure-it.com
..Co|

00000120  6e 6e 65 63 74 69 6f 6e  3a 20 6b 65 65 70 2d 61  |nnection:
keep-a|

00000130  6c 69 76 65 0d 0a 55 70  67 72 61 64 65 2d 49 6e
|live..Upgrade-In|

00000140  73 65 63 75 72 65 2d 52  65 71 75 65 73 74 73 3a
|secure-Requests:|

00000150  20 31 0d 0a 55 73 65 72  2d 41 67 65 6e 74 3a 20  |
1..User-Agent: |

00000160  4d 6f 7a 69 6c 6c 61 2f  35 2e 30 20 28 4d 61 63  |Mozilla/5.0
(Mac|

00000170  69 6e 74 6f 73 68 3b 20  49 6e 74 65 6c 20 4d 61  |intosh; Intel
Ma|

00000180  63 20 4f 53 20 58 20 31  30 5f 31 31 5f 35 29 20  |c OS X
10_11_5) |

00000190  41 70 70 6c 65 57 65 62  4b 69 74 2f 35 33 37 2e
|AppleWebKit/537.|

000001a0  33 36 20 28 4b 48 54 4d  4c 2c 20 6c 69 6b 65 20  |36 (KHTML,
like |

000001b0  47 65 63 6b 6f 29 20 43  68 72 6f 6d 65 2f 35 31  |Gecko)
Chrome/51|

000001c0  2e 30 2e 32 37 30 34 2e  31 30 33 20 53 61 66 61  |.0.2704.103
Safa|

000001d0  72 69 2f 35 33 37 2e 33  36 0d 0a 41 63 63 65 70
|ri/537.36..Accep|

000001e0  74 3a 20 74 65 78 74 2f  68 74 6d 6c 2c 61 70 70  |t:
text/html,app|

000001f0  6c 69 63 61 74 69 6f 6e  2f 78 68 74 6d 6c 2b 78
|lication/xhtml+x|

00000200  6d 6c 2c 61 70 70 6c 69  63 61 74 69 6f 6e 2f 78
|ml,application/x|

00000210  6d 6c 3b 71 3d 30 2e 39  2c 69 6d 61 67 65 2f 77
|ml;q=0.9,image/w|

00000220  65 62 70 2c 2a 2f 2a 3b  71 3d 30 2e 38 0d 0a 41
|ebp,*/*;q=0.8..A|

00000230  63 63 65 70 74 2d 45 6e  63 6f 64 69 6e 67 3a 20
|ccept-Encoding: |

00000240  67 7a 69 70 2c 20 64 65  66 6c 61 74 65 2c 20 73  |gzip,
deflate, s|

00000250  64 63 68 0d 0a 41 63 63  65 70 74 2d 4c 61 6e 67
|dch..Accept-Lang|

00000260  75 61 67 65 3a 20 65 6e  2d 55 53 2c 65 6e 3b 71  |uage:
en-US,en;q|

00000270  3d 30 2e 38 0d 0a 43 6f  6f 6b 69 65 3a 20 50 48  |=0.8..Cookie:
PH|

00000280  50 53 45 53 53 49 44 3d  39 71 6e 67 62 76 74 6d
|PSESSID=9qngbvtm|

00000290  32 71 6f 33 61 30 64 66  63 64 72 72 70 63 32 76
|2qo3a0dfcdrrpc2v|

000002a0  72 34 3b 20 77 6f 72 64  70 72 65 73 73 5f 74 65  |r4;
wordpress_te|

000002b0  73 74 5f 63 6f 6f 6b 69  65 3d 57 50 2b 43 6f 6f
|st_cookie=WP+Coo|

000002c0  6b 69 65 2b 63 68 65 63  6b 3b 20 4e 43 53 5f 49  |kie+check;
NCS_I|

000002d0  4e 45 4e 54 49 4d 3d 31  34 36 36 38 36 32 39 31
|NENTIM=146686291|

000002e0  31 3b 20 4a 43 53 5f 49  4e 45 4e 54 49 4d 3d 31  |1;
JCS_INENTIM=1|

000002f0  34 36 36 38 36 32 37 30  34 37 30 36 3b 20 33 38  |466862704706;
38|

00000300  39 61 65 32 31 30 30 34  30 61 62 37 35 30 63 31
|9ae210040ab750c1|

00000310  35 62 33 65 62 32 33 61  62 36 65 34 37 38 3d 39
|5b3eb23ab6e478=9|

00000320  30 30 37 61 65 61 35 36  66 61 61 34 34 61 66 32
|007aea56faa44af2|

00000330  62 38 61 61 33 37 33 64  66 65 33 31 62 37 66 3b
|b8aa373dfe31b7f;|

00000340  20 53 4a 45 43 54 31 35  3d 43 4b 4f 4e 31 35 3b  |
SJECT15=CKON15;|

00000350  20 5f 67 61 3d 47 41 31  2e 32 2e 36 31 34 34 31  |
_ga=GA1.2.61441|

00000360  34 36 32 32 2e 31 34 36  30 30 37 33 33 33 34 3b
|4622.1460073334;|

00000370  20 4a 43 53 5f 49 4e 45  4e 52 45 46 3d 0d 0a 0d  |
JCS_INENREF=...|

00000380  0a 00 00 00 6f 00 00 00  7c 00 00 00 00 00 00 00
|....o...|.......|

00000390  02 57 6e 99 a4 00 0d 6f  42 00 0f 42 42 00 00 00
|.Wn....oB..BB...|

000003a0  01 00 00 00 01 00 00 00  1c 00 00 00 01 ac 1f fe
|................|

000003b0  98 ac 1f fb 0a ee 0b 00  50 06 20 00 01 00 00 00  |........P.
.....|

000003c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
|................|

*

Thanks,

Avery




------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: