snort-users April 2011 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] snort is logging alerts but not c

Re: [Snort-users] snort is logging alerts but not capturing corresponding packets for some rules

From: Agustin Roca <agustin.roca_at_nospam>
Date: Tue Apr 26 2011 - 17:48:19 GMT
To: Joel Esler <jesler@sourcefire.com>

Nice explanation Joel. Which snort flag/option can i use to see the *Stream
reassembled packet* info?

2011/4/26 Joel Esler <jesler@sourcefire.com>

> Actually, Jason is right. The alert is generated on the pseudo packet,
> this is correct functionality, so I've closed the bug.
>
> So, James, using the pcap you gave me, I'll get rid of the IPs in the cut
> and paste here, but I'll make BOLD the line that indicates that the alert is
> actually on the pseudo packet, and not the individual packet.
>
> snort -c snort.conf -r missed.pcap -A cmg -q
>
> 04/26-10:37:43.307954 [**] [1:12280:3] WEB-CLIENT Microsoft Internet
> Explorer VML source file memory corruption attempt [**] [Classification:
> Attempted User Privilege Gain] [Priority: 1] {TCP} x.x.x.x:80 ->
> x.x.x.x:31390
> *Stream reassembled packet*
>
> Above, where is says "Stream reassembled packet" is your indication that
> the alert was not in fact on one packet, but on the reassembly of the
> packets. We call this the pseudo packet.
>
> If you output from Snort in Unified format, you have access to these
> packets.
>
> J
>
>
>
> On Tue, Apr 26, 2011 at 1:09 PM, Lay, James <james.lay@wincofoods.com>wrote:
>
>> Thanks for the response Jason…I ended up working with Joel on this and he
>> has put in a bug fix. Thanks again.
>>
>>
>>
>> James
>>
>>
>>
>> *From:* Jason Brvenik [mailto:jbrvenik@sourcefire.com]
>> *Sent:* Monday, April 25, 2011 5:14 PM
>> *To:* Lay, James; Kumar, Mahendra
>> *Subject:* Re: [Snort-users] snort is logging alerts but not capturing
>> corresponding packets for some rules
>>
>>
>>
>> I would suspect that the event fires on pseudo packets, reassembled or
>> normalized traffic. Can you enable unified2 and see if it is also missing
>> there.
>>
>> On Apr 25, 2011 6:58 PM, "Lay, James" <james.lay@wincofoods.com> wrote:
>> >
>> >
>> > From: Kumar, Mahendra [mailto:mkumar@intacct.com]
>> > Sent: Monday, April 25, 2011 3:50 PM
>> > To: snort-users@lists.sourceforge.net
>> > Subject: [Snort-users] snort is logging alerts but not capturing
>> > corresponding packets for some rules
>> >
>> >
>> >
>> > Hi,
>> >
>> >
>> >
>> > I am using snort-2.9.0.5 with daq-0.5-9 and libpcap1-1.1.1-9 on Centos
>> > 5.5 (x86_64). I am not using any other thing like unified2, base,
>> > barnyard, mysql etc.
>> >
>> > My snort is working properly and I am getting alerts and packet captures
>> > in snort.log in tcpdump format.
>> >
>> > But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged but
>> > there is no packet capture in snort.log and it is very consistent
>> > behavior, i.e. I will never get packet captures for some of the rules
>> > but will always get alert so it is not a packet drop problem. It seems
>> > to be a config issue where the alert is logged but no packet captures.
>> >
>> > Please help me resolve this issue.
>> >
>> >
>> >
>> > Thanks,
>> >
>> > MK
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > Welcome to my world...I've submitted this exact same item a few
>> > times....seems to be a mystery. I have snort boxes in a few different
>> > sites on a few different OS's....same thing though...I get the alert in
>> > the .fast file, but certain things just do not log to the pcap. I've
>> > had to work around this with full web traffic packet captures. The
>> > machines aren't even close to maxing CPU or memory, but the problem
>> > still persists. If anyone has some advice I'd love to hear it.
>> >
>> >
>> >
>> > James
>> >
>>
>
>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today. Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

-- Agustin Roca Information Security Team agustin.roca@globant.com work: 54+(011) 4109.1700 ext. 8098 cel: 54+(011)15-5022-3042

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users