[Oisf-users] Packet capture dump in unified2 logs.

Victor Julien victor at inliniac.net
Wed Feb 15 10:53:39 UTC 2012

On 02/15/2012 10:26 AM, Nikolay Denev wrote:
> On Feb 15, 2012, at 10:07 AM, Victor Julien wrote:
>> On 02/15/2012 06:42 AM, Nikolay Denev wrote:
>>> Hi,
>>> I'm wondering how suricata decides which packet to capture and dump
>>> in the unified2 log file and which not to.
>>> I'm running Snorby to collect the alerts, and I've noticed that
>>> sometimes for a single rule, some of the alerts have
>>> the packet dump present and some not.
>> That is odd. There should always be a packet. Is this happening with
>> specific rules and / or traffic?
> I've checked now. Some of the alerts without packet dump are packets
> with only headers and no payload, 
> for example syn packets from RBN listed IPs. Which should be normal. But
> I have also alert from this rule:
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN
> Win32/Chir.B at mm User-Agent (KPeerUpdater)"; flow:to_server,established;
> content:"User-Agent|3a| KPeerUpdater|0d 0a|"; http_header;
> reference:url,www.threatexpert.com/report.aspx?md5=5ca614132b183b2812cb69112879237f
> <http://www.threatexpert.com/report.aspx?md5=5ca614132b183b2812cb69112879237f>;
> reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FChir.B%40mm
> <http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FChir.B%40mm>;
> classtype:trojan-activity; sid:2803871; rev:2;)
> And in snorby I see no packet dump, and packet len is 40?

Might be the ACK packet triggering the reassembly. Still should have
logged the packet I think.

Can you enable the alert-debug.log in Suricata for a while? When you see
this issue again, see what it logs.

Btw, in your screen shot the SEQ and ACK values are the same. That seems
unusual as well.

> I can also look in the unified2.alert file to make sure it's not snorby
> problem. (if I can find some tool to check it :) )

Let's focus on what Suricata does right now. We've had issues with
unified2 in the past.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list