[Oisf-users] Packet capture dump in unified2 logs.
Nikolay Denev
ndenev at gmail.com
Wed Feb 15 14:31:56 UTC 2012
On Feb 15, 2012, at 3:29 PM, Nikolay Denev wrote:
>
> On Feb 15, 2012, at 1:52 PM, Peter Manev wrote:
>
>>
>> Just from observation -
>> "PACKET LEN: 68" in debug alert
>> but in Snorby it says "40" - so it does seem there is a bit of discrepancy ....
>> If you use pcap.log(ing) in yaml , does this packet indeed have 68 or 40 length ?
>>
>> --
>> Peter Manev
>
> I've just turned on pcap-log in suricata.yaml.
>
Ok here's another one. The rule is :
alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting"; flow:established,to_server; uricontent:"/data?"; nocase; uricontent:"cli="; nocase; uricontent:"&dat="; nocase; uricontent:"&ver="; nocase; uricontent:"&uid="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003219; classtype:trojan-activity; sid:2003219; rev:4;)
+================
TIME: 02/15/2012-16:02:56.567244
SRC IP: X.X.X.X
DST IP: Y.Y.Y.Y
PROTO: 6
SRC PORT: 58761
DST PORT: 80
TCP SEQ: 3317584075
TCP ACK: 2654953614
FLOW: to_server: TRUE, to_client: FALSE
FLOW Start TS: 02/15/2012-16:02:56.295055
FLOW IPONLY SET: TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION: DROP: FALSE, PASS FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: TRUE
FLOW APP_LAYER: DETECTED: TRUE, PROTO 1
PACKET LEN: 68
PACKET:
0000 02 04 96 37 53 8D F0 DE F1 75 DD AE 81 00 00 00 ...7S... .u......
0010 81 00 00 6C 08 00 45 00 00 28 24 DD 40 00 80 06 ...l..E. .($. at ...
0020 CF F9 0A 81 0D 47 4B 65 A2 CC E5 89 00 50 C5 BE .....GKe .....P..
0030 50 CB 9E 3F 60 8E 50 10 3F 05 6F A4 00 00 00 00 P..?`.P. ?.o.....
0040 00 00 00 00 ....
ALERT CNT: 1
ALERT MSG [00]: ET MALWARE Alexa Spyware Reporting
ALERT GID [00]: 1
ALERT SID [00]: 2003219
ALERT REV [00]: 4
ALERT CLASS [00]: A Network Trojan was Detected
ALERT PRIO [00]: 1
ALERT FOUND IN [00]: OTHER
+================
And this is from the pcap log :
16:02:56.295055 IP X.X.X.X.58761 > Y.Y.Y.Y.80: Flags [S], seq 3317583354, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
16:02:56.425664 IP X.X.X.X.58761 > Y.Y.Y.Y.80: Flags [.], ack 2654949527, win 16425, length 0
16:02:56.425473 IP Y.Y.Y.Y.80 > X.X.X.X.58761: Flags [S.], seq 2654949526, ack 3317583355, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 2], length 0
16:02:56.426276 IP X.X.X.X.58761 > Y.Y.Y.Y.80: Flags [P.], seq 1:721, ack 1, win 16425, length 720
16:02:56.563356 IP truncated-ip - 4 bytes missing! Y.Y.Y.Y.80 > X.X.X.X.58761: Flags [.], seq 1:1461, ack 721, win 1820, length 1460
16:02:56.563365 IP truncated-ip - 4 bytes missing! Y.Y.Y.Y.80 > X.X.X.X.58761: Flags [.], seq 1461:2921, ack 721, win 1820, length 1460
16:02:56.563927 IP X.X.X.X.58761 > Y.Y.Y.Y.80: Flags [.], ack 2921, win 16425, length 0
16:02:56.564533 IP Y.Y.Y.Y.80 > X.X.X.X.58761: Flags [FP.], seq 2921:4087, ack 721, win 1820, length 1166
16:02:56.567872 IP X.X.X.X.58761 > Y.Y.Y.Y.80: Flags [R.], seq 721, ack 4088, win 0, length 0
16:02:56.567244 IP X.X.X.X.58761 > Y.Y.Y.Y.80: Flags [.], ack 4088, win 16133, length 0
Notice the truncated-ip packets.
My interface is Intel 10G card with MTU 9000 and suricata is set : default-packet-size: 1522
The switch has the port set like this "Jumbo: Enabled, MTU= 9216"
Also, just for info, this is extreme networks switch, that is mirroring the packets in one direction with VLAN tag, and and untagged in the other. Just like the recent thred in oisf-users@
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120215/793e676d/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snorby-alexa.png
Type: image/png
Size: 83164 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120215/793e676d/attachment.png>
More information about the Oisf-users
mailing list