[Oisf-users] Packet capture dump in unified2 logs.

Nikolay Denev ndenev at gmail.com
Wed Feb 15 10:59:05 UTC 2012 

On Feb 15, 2012, at 12:53 PM, Victor Julien wrote:

> On 02/15/2012 10:26 AM, Nikolay Denev wrote:
>> 
>> On Feb 15, 2012, at 10:07 AM, Victor Julien wrote:
>> 
>>> On 02/15/2012 06:42 AM, Nikolay Denev wrote:
>>>> Hi,
>>>> 
>>>> I'm wondering how suricata decides which packet to capture and dump
>>>> in the unified2 log file and which not to.
>>>> 
>>>> I'm running Snorby to collect the alerts, and I've noticed that
>>>> sometimes for a single rule, some of the alerts have
>>>> the packet dump present and some not.
>>> 
>>> That is odd. There should always be a packet. Is this happening with
>>> specific rules and / or traffic?
>>> 
>> I've checked now. Some of the alerts without packet dump are packets
>> with only headers and no payload, 
>> for example syn packets from RBN listed IPs. Which should be normal. But
>> I have also alert from this rule:
>> 
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN
>> Win32/Chir.B at mm User-Agent (KPeerUpdater)"; flow:to_server,established;
>> content:"User-Agent|3a| KPeerUpdater|0d 0a|"; http_header;
>> reference:url,www.threatexpert.com/report.aspx?md5=5ca614132b183b2812cb69112879237f
>> <http://www.threatexpert.com/report.aspx?md5=5ca614132b183b2812cb69112879237f>;
>> reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FChir.B%40mm
>> <http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FChir.B%40mm>;
>> classtype:trojan-activity; sid:2803871; rev:2;)
>> 
>> And in snorby I see no packet dump, and packet len is 40?
> 
> Might be the ACK packet triggering the reassembly. Still should have
> logged the packet I think.
> 
> Can you enable the alert-debug.log in Suricata for a while? When you see
> this issue again, see what it logs.
> 
> Btw, in your screen shot the SEQ and ACK values are the same. That seems
> unusual as well.
> 
> 
>> 
>> I can also look in the unified2.alert file to make sure it's not snorby
>> problem. (if I can find some tool to check it :) )
>> 
> 
> Let's focus on what Suricata does right now. We've had issues with
> unified2 in the past.
> 
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 

Ok, I've enabled alert-debug.log now. I'll let you know when I have something.

More information about the Oisf-users mailing list