[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: [Snort-users] converting unified2 to pcap: 'ethertype Unknown'
From: Marcin Dulak <marcin.dulak () gmail ! com>
Date: 2016-12-15 14:51:29
Message-ID: CABJoABZFUGkWG4r2WrktUvPO_1sPowZuGTfZ6hdoKpsCXPObLg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
I'm looking at converting unified2 logs into pcap, but this seems to result
in 'ethertype Unknown'.
What am I missing?
http://manual.snort.org/ says:
Packet logging includes a capture of the entire packet and is specified
with log_unified2. Likewise, alert logging will only log events and is
specified with alert_unified2. To include both logging styles in a single,
unified file, simply specify unified2.
snort # rpm -q snort
snort-2.9.8.3-1.el7.centos.x86_64
snort # snort --version 2>&1 | grep Version
o" )~ Version 2.9.8.3 GRE (Build 383)
snort # grep "^ output " /home/snort/conf/snort.conf
output unified2: filename merged.log, limit 128, nostamp,
mpls_event_types, vlan_event_types
output log_tcpdump: tcpdump.log
snort # grep "^config daq" /home/snort/conf/snort.conf
config daq: nfq
config daq_dir: /usr/lib64/daq
config daq_mode: inline
I run snort inline with nfq on the host to which I send http traffic:
snort # /usr/sbin/snort -d -D -u root -g root -c
/home/snort/conf/snort.conf -l /home/snort/logs
have just one rule
alert tcp any any -> $HOME_NET any (msg:"alert tcp any any"; sid:10000002;
rev:001;)
and send http to the sensor from another machine 10.255.2.100:
machine # curl 10.255.2.160
and then convert the resulting unified2 log into pcap.
There is no VLAN traffic and 10.255.2.160 is on an subinterface of enp0s9
of the machine running snort.
snort # ethtool -k enp0s9 | grep ': on'
rx-vlan-filter: on [fixed]
snort # u2spewfoo /home/snort/logs/merged.log
(Event)
sensor id: 0 event id: 1 event second: 1481812613 event
microsecond: 105823
sig id: 10000002 gen id: 1 revision: 1 classification: 0
priority: 0 ip source: 10.255.2.100 ip destination: 10.255.2.160
src port: 38600 dest port: 80 protocol: 6 impact_flag: 0
blocked: 0
mpls label: 0 vland id: 0 policy id: 0
Packet
sensor id: 0 event id: 1 event second: 1481812613
packet second: 1481812613 packet microsecond: 105823
linktype: 228 packet_length: 60
[ 0] 45 00 00 3C D8 DC 40 00 40 06 46 DE 0A FF 02 64 E..<..@.@.F....d
[ 16] 0A FF 02 A0 96 C8 00 50 A4 41 88 47 00 00 00 00 .......P.A.G....
[ 32] A0 02 72 10 96 64 00 00 02 04 05 B4 04 02 08 0A ..r..d..........
[ 48] 10 4D 50 9B 00 00 00 00 01 03 03 07 .MP.........
snort # tcpdump -nnX -r /home/snort/logs/tcpdump.log.1481810549
reading from file /home/snort/logs/tcpdump.log.1481810549, link-type RAW
(Raw IP)
15:02:35.912256 IP 10.255.2.100.38594 > 10.255.2.160.80: Flags [S], seq
1388536122, win 29200, options [mss 1460,sackOK,TS val 271445254 ecr
0,nop,wscale 7], length 0
0x0000: 4500 003c 8c3c 4000 4006 937e 0aff 0264
E..<.<@.@..~...d
0x0010: 0aff 02a0 96c2 0050 52c3 613a 0000 0000
.......PR.a:....
0x0020: a002 7210 72aa 0000 0204 05b4 0402 080a
..r.r...........
0x0030: 102d ed06 0000 0000 0103 0307
.-..........
snort # u2boat /home/snort/logs/merged.log /home/snort/logs/merged.log.pcap
snort # tcpdump -nnX -r /home/snort/logs/merged.log.pcap
reading from file /home/snort/logs/merged.log.pcap, link-type EN10MB
(Ethernet)
15:02:35.912256 40:00:40:06:93:7e > 45:00:00:3c:8c:3c, ethertype Unknown
(0x0aff), length 60:
0x0000: 0264 0aff 02a0 96c2 0050 52c3 613a 0000
.d.......PR.a:..
0x0010: 0000 a002 7210 72aa 0000 0204 05b4 0402
....r.r.........
0x0020: 080a 102d ed06 0000 0000 0103 0307
...-..........
Best regards,
Marcin
[Attachment #5 (text/html)]
<div dir="ltr"><div><div>Hi,<br><br>I'm looking at converting unified2 logs into \
pcap, but this seems to result in 'ethertype Unknown'.<br>What am I \
missing?<br><br><a href="http://manual.snort.org/">http://manual.snort.org/</a> \
says:<br><br>Packet logging includes a capture of the entire packet and is specified \
with log_unified2. Likewise, alert logging will only log events and is specified with \
alert_unified2. To include both logging styles in a single, unified file, simply \
specify unified2.<br><br>snort # rpm -q \
snort<br>snort-2.9.8.3-1.el7.centos.x86_64<br><br>snort # snort --version 2>&1 \
| grep Version<br> o" )~ Version 2.9.8.3 GRE (Build 383) <br><br>snort # \
grep "^ output " /home/snort/conf/snort.conf<br> output unified2: filename \
merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types<br> output \
log_tcpdump: tcpdump.log<br><br>snort # grep "^config daq" \
/home/snort/conf/snort.conf <br>config daq: nfq<br>config daq_dir: \
/usr/lib64/daq<br>config daq_mode: inline<br><br>I run snort inline with nfq on the \
host to which I send http traffic:<br><br>snort # /usr/sbin/snort -d -D -u root -g \
root -c /home/snort/conf/snort.conf -l /home/snort/logs<br><br>have just one \
rule<br><br>alert tcp any any -> $HOME_NET any (msg:"alert tcp any any"; \
sid:10000002; rev:001;)<br><br>and send http to the sensor from another machine <a \
href="http://10.255.2.100">10.255.2.100</a>:<br><br>machine # curl \
10.255.2.160<br><br>and then convert the resulting unified2 log into \
pcap.<br><br>There is no VLAN traffic and 10.255.2.160 is on an subinterface of \
enp0s9 of the machine running snort.<br><br>snort # ethtool -k enp0s9 | grep ': \
on'<br>rx-vlan-filter: on [fixed]<br><br>snort # u2spewfoo \
/home/snort/logs/merged.log<br><br>(Event)<br> sensor id: 0 event id: 1 \
event second: 1481812613 event microsecond: 105823<br> sig id: 10000002 \
gen id: 1 revision: 1 classification: 0<br> priority: 0 ip \
source: 10.255.2.100 ip destination: 10.255.2.160<br> src port: 38600 \
dest port: 80 protocol: 6 impact_flag: 0 blocked: 0<br> mpls \
label: 0 vland id: 0 policy id: 0<br><br>Packet<br> sensor id: 0 \
event id: 1 event second: 1481812613<br> packet second: 1481812613 \
packet microsecond: 105823<br> linktype: 228 packet_length: 60<br>[ \
0] 45 00 00 3C D8 DC 40 00 40 06 46 DE 0A FF 02 64 E..<..@.@.F....d<br>[ 16] \
0A FF 02 A0 96 C8 00 50 A4 41 88 47 00 00 00 00 .......P.A.G....<br>[ 32] A0 02 \
72 10 96 64 00 00 02 04 05 B4 04 02 08 0A ..r..d..........<br>[ 48] 10 4D 50 9B \
00 00 00 00 01 03 03 07 .MP.........<br><br>snort # tcpdump \
-nnX -r /home/snort/logs/tcpdump.log.1481810549 <br>reading from file \
/home/snort/logs/tcpdump.log.1481810549, link-type RAW (Raw IP)<br>15:02:35.912256 IP \
10.255.2.100.38594 > 10.255.2.160.80: Flags [S], seq 1388536122, win 29200, \
options [mss 1460,sackOK,TS val 271445254 ecr 0,nop,wscale 7], length 0<br> \
0x0000: 4500 003c 8c3c 4000 4006 937e 0aff 0264 E..<.<@.@..~...d<br> \
0x0010: 0aff 02a0 96c2 0050 52c3 613a 0000 0000 .......PR.a:....<br> \
0x0020: a002 7210 72aa 0000 0204 05b4 0402 080a ..r.r...........<br> \
0x0030: 102d ed06 0000 0000 0103 0307 \
.-..........<br><br>snort # u2boat /home/snort/logs/merged.log \
/home/snort/logs/merged.log.pcap<br><br>snort # tcpdump -nnX -r \
/home/snort/logs/merged.log.pcap <br>reading from file \
/home/snort/logs/merged.log.pcap, link-type EN10MB (Ethernet)<br>15:02:35.912256 \
40:00:40:06:93:7e > 45:00:00:3c:8c:3c, ethertype Unknown (0x0aff), length 60: <br> \
0x0000: 0264 0aff 02a0 96c2 0050 52c3 613a 0000 .d.......PR.a:..<br> \
0x0010: 0000 a002 7210 72aa 0000 0204 05b4 0402 ....r.r.........<br> \
0x0020: 080a 102d ed06 0000 0000 0103 0307 \
...-..........<br><br></div>Best regards,<br><br></div>Marcin<br></div>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic