Re: inconsistent unified2 logging behavior observed with attached pcap

[Joel Esler <jesler () sourcefire com>]

Let me forward this on.

Thanks.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Apr 11, 2012, at 9:23 PM, anantha narasimhan srinivasan <anantha.narasimhan () gmail com> wrote:

> Hi,
>
> I have already emailed bugs () snort org with this query. While I am
> waiting to hear back from the developers,  thought I might get some
> useful suggestions/workarounds (if any) from this list.
>
> When the attached pcap [1] is run through SNORT using this [2] command
> line,  we observe that the generated alert, for SID 20596 is only
> logged to the first unified2 output configured in snort.conf.  Even if
> there are multiple log_unified2 configured, the generated alert is
> logged only to the first one.  This behavior is reproducible with the
> attached pcap on all SNORT releases after 2.9.0.5.  Have used VRT
> 2.9.1 / 2.9.2 rulesets.  I tried removing the http_* keywords from the
> rule (# 20596 botnet-cnc.rules) and that seems to get the alerts
> logged to all the configured unified2 output files.
>
> Anyone observed this behavior before, If so, is there any workaround or fix ?
>
> I Have attached the following,
> etc/*.conf
> rules/*.rules
> Snort log
> We are compiling SNORT 2.9.2.2 from sources with the following
> configure options, and is run on an EL5 machine (2.6.18-194.32.1
> kernel, intel64, GCC-443).
>
>       ./configure
>       --prefix=%{_prefix} \
>       --bindir=%{_sbindir} \
>       --sysconfdir=%{_sysconfdir}/snort \
>       --without-mysql \
>       --without-postgresql \
>       --without-oracle \
>       --without-odbc \
>       --enable-sourcefire
>
> Please let me know if you need any further information.
>
> Thanks
>
> [1] obfuscated_20596.pcap [
> http://www.pcapr.net/view/anantha.narasimhan/2012/3/1/23/obfuscated_20596.pcap.html
> ]
> [2] /usr/sbin/snort-plain -r obfuscated.pcap -c
> esmagent/data/agent.1/var/snort/policy/etc/snort.conf -l
> /tmp/snort/log/  --dynamic-preprocessor-lib-dir
> /usr/lib64/snort_dynamicpreprocessor-lib-dir
> /usr/lib64/snort_dynamicpreprocessor --dynamic-engine-lib-dir
> /usr/lib64/snort_dynamicengine -A none
>
>
>
> --
> A
> <obfuscated_20596.pcap><snort.log><snort_config.tgz>------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!