Snort mailing list archives
Re: log_unified: no IP data for some events
From: Tomás Heredia <tomas.heredia () activesec biz>
Date: Fri, 05 Jun 2009 18:16:17 -0300
I've been looking a litle in that host, and I found Barnyard is having this errors: Unknown Network header (0x1FAC)... Unknown Network header (0x1FAC)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0x20A)... Unknown Network header (0x20A)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... Unknown Network header (0xA)... I havn't found anything about them. Best regards Tomás Tomás Heredia escribió:
For example: mysql> select max(event.cid), sig_sid, sig_name, count(event.cid) from event left join iphdr on (event.sid = iphdr.sid and event.cid = iphdr.cid) inner join signature on (signature.sig_id = event.signature) where ip_src is null group by sig_id; +----------------+---------+--------------------------------------------------------------+------------------+ | max(event.cid) | sig_sid | sig_name | count(event.cid) | +----------------+---------+--------------------------------------------------------------+------------------+ | 3685058 | 1 | tag: Tagged Packet | 221711 | ... | 1970797 | 1079 | WEB-MISC WebDAV propfind access | 2 | sig_sid=1 is no problem. sid 1079 is one of the offending ones (happens both for standard as for binary rules) Cheers! Joel Esler escribió:Can you provide a link to a screenshot? Sent from my iPhone On Jun 5, 2009, at 3:30 PM, Tomás Heredia <tomas.heredia () activesec biz> wrote:Hi all, I’m using Barnyard (0.2) to send snort 2.8.0 inline (I know, I indeed want to upgrade) log_unified data to an acid_db. Sometimes, and for some rules (not much in common among them), iphdr data is not recorded in the database (once it starts missing iphdr data for a rule, it keeps missing it for newer events). Other rules keep reporting OK. Other tools (like using snort-unified-perl) doesn’t show iphdr data in the unified log neither. It’s quite anoying, specially when the involved rules are dropping packets. Is this a known problem? Does anyone know if it was resolved in a newer release? Best regards, Tomás ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Joel Esler (Jun 05)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 07)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Joel Esler (Jun 05)