[Oisf-users] Packet capture dump in unified2 logs.

Nikolay Denev ndenev at gmail.com
Wed Feb 15 09:26:29 UTC 2012

On Feb 15, 2012, at 10:07 AM, Victor Julien wrote:

> On 02/15/2012 06:42 AM, Nikolay Denev wrote:
>> Hi,
>> I'm wondering how suricata decides which packet to capture and dump in the unified2 log file and which not to.
>> I'm running Snorby to collect the alerts, and I've noticed that sometimes for a single rule, some of the alerts have
>> the packet dump present and some not.
> That is odd. There should always be a packet. Is this happening with
> specific rules and / or traffic?
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

I've checked now. Some of the alerts without packet dump are packets with only headers and no payload, 
for example syn packets from RBN listed IPs. Which should be normal. But I have also alert from this rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN Win32/Chir.B at mm User-Agent (KPeerUpdater)"; flow:to_server,established; content:"User-Agent|3a| KPeerUpdater|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=5ca614132b183b2812cb69112879237f; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FChir.B%40mm; classtype:trojan-activity; sid:2803871; rev:2;)

And in snorby I see no packet dump, and packet len is 40?

I can also look in the unified2.alert file to make sure it's not snorby problem. (if I can find some tool to check it :) )

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120215/1742f8d1/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snorby-no-packet-dump.png
Type: image/png
Size: 82904 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120215/1742f8d1/attachment.png>

More information about the Oisf-users mailing list