Snort mailing list archives
converting unified2 to pcap: 'ethertype Unknown'
From: Marcin Dulak <marcin.dulak () gmail com>
Date: Thu, 15 Dec 2016 15:51:29 +0100
Hi, I'm looking at converting unified2 logs into pcap, but this seems to result in 'ethertype Unknown'. What am I missing? http://manual.snort.org/ says: Packet logging includes a capture of the entire packet and is specified with log_unified2. Likewise, alert logging will only log events and is specified with alert_unified2. To include both logging styles in a single, unified file, simply specify unified2. snort # rpm -q snort snort-2.9.8.3-1.el7.centos.x86_64 snort # snort --version 2>&1 | grep Version o" )~ Version 2.9.8.3 GRE (Build 383) snort # grep "^ output " /home/snort/conf/snort.conf output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types output log_tcpdump: tcpdump.log snort # grep "^config daq" /home/snort/conf/snort.conf config daq: nfq config daq_dir: /usr/lib64/daq config daq_mode: inline I run snort inline with nfq on the host to which I send http traffic: snort # /usr/sbin/snort -d -D -u root -g root -c /home/snort/conf/snort.conf -l /home/snort/logs have just one rule alert tcp any any -> $HOME_NET any (msg:"alert tcp any any"; sid:10000002; rev:001;) and send http to the sensor from another machine 10.255.2.100: machine # curl 10.255.2.160 and then convert the resulting unified2 log into pcap. There is no VLAN traffic and 10.255.2.160 is on an subinterface of enp0s9 of the machine running snort. snort # ethtool -k enp0s9 | grep ': on' rx-vlan-filter: on [fixed] snort # u2spewfoo /home/snort/logs/merged.log (Event) sensor id: 0 event id: 1 event second: 1481812613 event microsecond: 105823 sig id: 10000002 gen id: 1 revision: 1 classification: 0 priority: 0 ip source: 10.255.2.100 ip destination: 10.255.2.160 src port: 38600 dest port: 80 protocol: 6 impact_flag: 0 blocked: 0 mpls label: 0 vland id: 0 policy id: 0 Packet sensor id: 0 event id: 1 event second: 1481812613 packet second: 1481812613 packet microsecond: 105823 linktype: 228 packet_length: 60 [ 0] 45 00 00 3C D8 DC 40 00 40 06 46 DE 0A FF 02 64 E..<..@.@.F....d [ 16] 0A FF 02 A0 96 C8 00 50 A4 41 88 47 00 00 00 00 .......P.A.G.... [ 32] A0 02 72 10 96 64 00 00 02 04 05 B4 04 02 08 0A ..r..d.......... [ 48] 10 4D 50 9B 00 00 00 00 01 03 03 07 .MP......... snort # tcpdump -nnX -r /home/snort/logs/tcpdump.log.1481810549 reading from file /home/snort/logs/tcpdump.log.1481810549, link-type RAW (Raw IP) 15:02:35.912256 IP 10.255.2.100.38594 > 10.255.2.160.80: Flags [S], seq 1388536122, win 29200, options [mss 1460,sackOK,TS val 271445254 ecr 0,nop,wscale 7], length 0 0x0000: 4500 003c 8c3c 4000 4006 937e 0aff 0264 E..<.<@.@..~...d 0x0010: 0aff 02a0 96c2 0050 52c3 613a 0000 0000 .......PR.a:.... 0x0020: a002 7210 72aa 0000 0204 05b4 0402 080a ..r.r........... 0x0030: 102d ed06 0000 0000 0103 0307 .-.......... snort # u2boat /home/snort/logs/merged.log /home/snort/logs/merged.log.pcap snort # tcpdump -nnX -r /home/snort/logs/merged.log.pcap reading from file /home/snort/logs/merged.log.pcap, link-type EN10MB (Ethernet) 15:02:35.912256 40:00:40:06:93:7e > 45:00:00:3c:8c:3c, ethertype Unknown (0x0aff), length 60: 0x0000: 0264 0aff 02a0 96c2 0050 52c3 613a 0000 .d.......PR.a:.. 0x0010: 0000 a002 7210 72aa 0000 0204 05b4 0402 ....r.r......... 0x0020: 080a 102d ed06 0000 0000 0103 0307 ...-.......... Best regards, Marcin
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- converting unified2 to pcap: 'ethertype Unknown' Marcin Dulak (Dec 15)