[Oisf-users] Packet capture dump in unified2 logs.
Nikolay Denev
ndenev at gmail.com
Wed Feb 15 11:28:47 UTC 2012
On Feb 15, 2012, at 12:53 PM, Victor Julien wrote:
> On 02/15/2012 10:26 AM, Nikolay Denev wrote:
>>
>> On Feb 15, 2012, at 10:07 AM, Victor Julien wrote:
>>
>>> On 02/15/2012 06:42 AM, Nikolay Denev wrote:
>>>> Hi,
>>>>
>>>> I'm wondering how suricata decides which packet to capture and dump
>>>> in the unified2 log file and which not to.
>>>>
>>>> I'm running Snorby to collect the alerts, and I've noticed that
>>>> sometimes for a single rule, some of the alerts have
>>>> the packet dump present and some not.
>>>
>>> That is odd. There should always be a packet. Is this happening with
>>> specific rules and / or traffic?
>>>
>> I've checked now. Some of the alerts without packet dump are packets
>> with only headers and no payload,
>> for example syn packets from RBN listed IPs. Which should be normal. But
>> I have also alert from this rule:
>>
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO TROJAN
>> Win32/Chir.B at mm User-Agent (KPeerUpdater)"; flow:to_server,established;
>> content:"User-Agent|3a| KPeerUpdater|0d 0a|"; http_header;
>> reference:url,www.threatexpert.com/report.aspx?md5=5ca614132b183b2812cb69112879237f
>> <http://www.threatexpert.com/report.aspx?md5=5ca614132b183b2812cb69112879237f>;
>> reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FChir.B%40mm
>> <http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FChir.B%40mm>;
>> classtype:trojan-activity; sid:2803871; rev:2;)
>>
>> And in snorby I see no packet dump, and packet len is 40?
>
> Might be the ACK packet triggering the reassembly. Still should have
> logged the packet I think.
>
> Can you enable the alert-debug.log in Suricata for a while? When you see
> this issue again, see what it logs.
>
> Btw, in your screen shot the SEQ and ACK values are the same. That seems
> unusual as well.
>
>
>>
>> I can also look in the unified2.alert file to make sure it's not snorby
>> problem. (if I can find some tool to check it :) )
>>
>
> Let's focus on what Suricata does right now. We've had issues with
> unified2 in the past.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
Here's one such alert, but there is packet data in the alert-debug file : (also packet len differs, maybe snorby issue?)
+================
TIME: 02/15/2012-13:18:15.459170
SRC IP: X.X.X.X
DST IP: Y.Y.Y.Y
PROTO: 6
SRC PORT: 55192
DST PORT: 80
TCP SEQ: 1360766462
TCP ACK: 1891794325
FLOW: to_server: TRUE, to_client: FALSE
FLOW Start TS: 02/15/2012-13:18:15.017736
FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION: DROP: FALSE, PASS FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
FLOW APP_LAYER: DETECTED: TRUE, PROTO 1
PACKET LEN: 68
PACKET:
0000 02 04 96 37 53 8D F0 DE F1 95 DF F7 81 00 00 00 ...7S... ........
0010 81 00 00 70 08 00 45 00 00 28 1E 3B 40 00 80 06 ...p..E. .(.;@...
0020 AF 37 0A 81 15 24 6B 14 A2 A4 D7 98 00 50 51 1B .7...$k. .....PQ.
0030 A5 FE 70 C2 7D 95 50 10 01 00 C4 1C 00 00 00 00 ..p.}.P. ........
0040 00 00 00 00 ....
ALERT CNT: 1
ALERT MSG [00]: ETPRO POLICY dl.dropbox Download
ALERT GID [00]: 1
ALERT SID [00]: 2804233
ALERT REV [00]: 3
ALERT CLASS [00]: Potential Corporate Privacy Violation
ALERT PRIO [00]: 1
ALERT FOUND IN [00]: OTHER
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120215/3d681666/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snorby.png
Type: image/png
Size: 83758 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120215/3d681666/attachment.png>
More information about the Oisf-users
mailing list