snort-users April 2011 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] snort is logging alerts but not c

Re: [Snort-users] snort is logging alerts but not capturing corresponding packets for some rules

From: Jason Brvenik <jbrvenik_at_nospam>
Date: Wed Apr 27 2011 - 00:28:10 GMT
To: Joel Esler <jesler@sourcefire.com>

But you can output to both while you transition.
On Apr 26, 2011 7:07 PM, "Joel Esler" <jesler@sourcefire.com> wrote:
> What you should do is output to unified, then use barnyard or something to
> output to tcpdump format.
>
> Joel
>
> On Tue, Apr 26, 2011 at 6:25 PM, Kumar, Mahendra <mkumar@intacct.com>
wrote:
>
>> Hi Joel,
>>
>> Can I capture packets in tcpdump mode in snort.log and simultaneously in
>> unified format in some other file? If yes, how can I do that so that I
can
>> compare and see if the packets missing from snort.log (tcpdump) are in
fact
>> logged in unified format.
>>
>> Thanks
>>
>>
>>
>> *From:* Joel Esler [mailto:jesler@sourcefire.com]
>> *Sent:* Tuesday, April 26, 2011 10:49 AM
>> *To:* Agustin Roca
>> *Cc:* snort-users@lists.sourceforge.net; Jason Brvenik
>>
>> *Subject:* Re: [Snort-users] snort is logging alerts but not capturing
>> corresponding packets for some rules
>>
>>
>>
>> -A cmg on the command line as the alert method.
>>
>> On Tue, Apr 26, 2011 at 1:48 PM, Agustin Roca <agustin.roca@globant.com>
>> wrote:
>>
>> Nice explanation Joel. Which snort flag/option can i use to see the
*Stream
>> reassembled packet* info?
>>
>> 2011/4/26 Joel Esler <jesler@sourcefire.com>
>>
>> Actually, Jason is right. The alert is generated on the pseudo packet,
>> this is correct functionality, so I've closed the bug.
>>
>>
>>
>> So, James, using the pcap you gave me, I'll get rid of the IPs in the cut
>> and paste here, but I'll make BOLD the line that indicates that the alert
is
>> actually on the pseudo packet, and not the individual packet.
>>
>>
>>
>> snort -c snort.conf -r missed.pcap -A cmg -q
>>
>>
>>
>> 04/26-10:37:43.307954 [**] [1:12280:3] WEB-CLIENT Microsoft Internet
>> Explorer VML source file memory corruption attempt [**] [Classification:
>> Attempted User Privilege Gain] [Priority: 1] {TCP} x.x.x.x:80 ->
>> x.x.x.x:31390
>>
>> *Stream reassembled packet*
>>
>>
>>
>> Above, where is says "Stream reassembled packet" is your indication that
>> the alert was not in fact on one packet, but on the reassembly of the
>> packets. We call this the pseudo packet.
>>
>>
>>
>> If you output from Snort in Unified format, you have access to these
>> packets.
>>
>>
>>
>> J
>>
>>
>>
>>
>>
>> On Tue, Apr 26, 2011 at 1:09 PM, Lay, James <james.lay@wincofoods.com>
>> wrote:
>>
>> Thanks for the response Jason…I ended up working with Joel on this and he
>> has put in a bug fix. Thanks again.
>>
>>
>>
>> James
>>
>>
>>
>> *From:* Jason Brvenik [mailto:jbrvenik@sourcefire.com]
>> *Sent:* Monday, April 25, 2011 5:14 PM
>> *To:* Lay, James; Kumar, Mahendra
>> *Subject:* Re: [Snort-users] snort is logging alerts but not capturing
>> corresponding packets for some rules
>>
>>
>>
>> I would suspect that the event fires on pseudo packets, reassembled or
>> normalized traffic. Can you enable unified2 and see if it is also missing
>> there.
>>
>> On Apr 25, 2011 6:58 PM, "Lay, James" <james.lay@wincofoods.com> wrote:
>> >
>> >
>> > From: Kumar, Mahendra [mailto:mkumar@intacct.com]
>> > Sent: Monday, April 25, 2011 3:50 PM
>> > To: snort-users@lists.sourceforge.net
>> > Subject: [Snort-users] snort is logging alerts but not capturing
>> > corresponding packets for some rules
>> >
>> >
>> >
>> > Hi,
>> >
>> >
>> >
>> > I am using snort-2.9.0.5 with daq-0.5-9 and libpcap1-1.1.1-9 on Centos
>> > 5.5 (x86_64). I am not using any other thing like unified2, base,
>> > barnyard, mysql etc.
>> >
>> > My snort is working properly and I am getting alerts and packet
captures
>> > in snort.log in tcpdump format.
>> >
>> > But for some rules (e.g. SHELLCODE sid:1394) I get the alert logged but
>> > there is no packet capture in snort.log and it is very consistent
>> > behavior, i.e. I will never get packet captures for some of the rules
>> > but will always get alert so it is not a packet drop problem. It seems
>> > to be a config issue where the alert is logged but no packet captures.
>> >
>> > Please help me resolve this issue.
>> >
>> >
>> >
>> > Thanks,
>> >
>> > MK
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > Welcome to my world...I've submitted this exact same item a few
>> > times....seems to be a mystery. I have snort boxes in a few different
>> > sites on a few different OS's....same thing though...I get the alert in
>> > the .fast file, but certain things just do not log to the pcap. I've
>> > had to work around this with full web traffic packet captures. The
>> > machines aren't even close to maxing CPU or memory, but the problem
>> > still persists. If anyone has some advice I'd love to hear it.
>> >
>> >
>> >
>> > James
>> >
>>
>>
>>
>>
>>
>>
>>
------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today. Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>>
>> --
>> Agustin Roca
>> Information Security Team
>> agustin.roca@globant.com
>> work: 54+(011) 4109.1700 ext. 8098
>> cel: 54+(011)15-5022-3042
>>
>>
>>

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users