[Snort-users] Double logging in alert_fast

permalink · #1 (**permalink**) 09-16-2005

I know ASCII logging bad, and that binary logging would be much better for =
this, but still, I need to do it. Also according to the archives, this wa=
s an issue before 1.8.1.

While trying to grab entire TCP sessions with a hostile IP, it logs each pa=
cket twice after the 3way handshake. Running 2.4 and testing from the comm=
and line with:

snort -d -i eth0 -l ./log -m 027 -y -c ./host-svr.rules

----------------
host-svr.rules is:
----------------

var HOME_NET [x.x.x.x/32]
var EXTERNAL_NET any
include ./class.config
output alert_fast: alert

var HOSTILE_SVRS [IPaddress/32]

alert tcp $HOME_NET any -> $HOSTILE_SVRS any (msg:"SYN to HOSTILE server";f=
lags:S;)
alert tcp $HOSTILE_SVRS any -> $HOME_NET any (msg:"SYN/ACK from HOSTILE ser=
ver"; flags:SA;)
log tcp $HOSTILE_SVRS any <> $HOME_NET any (flow:established; tag:session,=
5000,packets;)

------------
ASCII log sample, note the timestamps
------------

[**] SYN to HOSTILE server [**]
09/16/05-12:46:04.475880 x.x.x.x:x -> x.x.x.x:x
TCP TTL:64 TOS:0x0 ID:43668 IpLen:20 DgmLen:60 DF
******S* Seq: 0x1C795A8 Ack: 0x0 Win: 0x16D0 TcpLen: 40
TCP Options (5) =3D> MSS: 1460 SackOK TS: 350830396 0 NOP WS: 2

=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3 D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= 3D+=3D+=3D+=3D+=3D+=3D+

[**] SYN/ACK from HOSTILE server [**]
09/16/05-12:46:04.478810 x.x.x.x:x -> x.x.x.x:x
TCP TTL:61 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x3A06EAD6 Ack: 0x1C795A9 Win: 0x16A0 TcpLen: 40
TCP Options (5) =3D> MSS: 1460 SackOK TS: 289010954 350830396 NOP
TCP Options =3D> WS: 0

=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3 D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= 3D+=3D+=3D+=3D+=3D+=3D+

09/16/05-12:46:04.478868 x.x.x.x:x -> x.x.x.x:x
TCP TTL:64 TOS:0x0 ID:43670 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x1C795A9 Ack: 0x3A06EAD7 Win: 0x5B4 TcpLen: 32
TCP Options (3) =3D> NOP NOP TS: 350830399 289010954

=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3 D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= 3D+=3D+=3D+=3D+=3D+=3D+

[**] Tagged Packet [**]
09/16/05-12:46:04.482715 x.x.x.x:x -> x.x.x.x:x
TCP TTL:64 TOS:0x0 ID:43672 IpLen:20 DgmLen:172 DF
***AP*** Seq: 0x1C795A9 Ack: 0x3A06EAD7 Win: 0x5B4 TcpLen: 32
TCP Options (3) =3D> NOP NOP TS: 350830403 289010954
16 03 01 00 73 01 00 00 6F 03 01 00 17 D1 64 08 ....s...o.....d.
F0 DC 67 77 A6 60 BD 1B 2B C6 70 73 01 7A A8 81 ..gw.`..+.ps.z..
CB 80 29 16 F4 06 E0 18 99 57 7B 20 6C 25 C2 3F ..)......W{ l%.?
C1 CA FE 1D 5B 6F CE D5 63 E2 12 63 0C F8 2F 92 ....[o..c..c../.
72 A3 F9 88 74 5A E3 AA D2 92 CB FE 00 28 00 39 r...tZ.......(.9
00 38 00 35 00 33 00 32 00 04 00 05 00 2F 00 16 .8.5.3.2...../..
00 13 FE FF 00 0A 00 15 00 12 FE FE 00 09 00 64 ...............d
00 62 00 03 00 06 01 00 .b......

=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3 D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= 3D+=3D+=3D+=3D+=3D+=3D+

09/16/05-12:46:04.482715 x.x.x.x:x -> x.x.x.x:x
TCP TTL:64 TOS:0x0 ID:43672 IpLen:20 DgmLen:172 DF
***AP*** Seq: 0x1C795A9 Ack: 0x3A06EAD7 Win: 0x5B4 TcpLen: 32
TCP Options (3) =3D> NOP NOP TS: 350830403 289010954
16 03 01 00 73 01 00 00 6F 03 01 00 17 D1 64 08 ....s...o.....d.
F0 DC 67 77 A6 60 BD 1B 2B C6 70 73 01 7A A8 81 ..gw.`..+.ps.z..
CB 80 29 16 F4 06 E0 18 99 57 7B 20 6C 25 C2 3F ..)......W{ l%.?
C1 CA FE 1D 5B 6F CE D5 63 E2 12 63 0C F8 2F 92 ....[o..c..c../.
72 A3 F9 88 74 5A E3 AA D2 92 CB FE 00 28 00 39 r...tZ.......(.9
00 38 00 35 00 33 00 32 00 04 00 05 00 2F 00 16 .8.5.3.2...../..
00 13 FE FF 00 0A 00 15 00 12 FE FE 00 09 00 64 ...............d
00 62 00 03 00 06 01 00 .b......

=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3 D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= 3D+=3D+=3D+=3D+=3D+=3D+

[**] Tagged Packet [**]
09/16/05-12:46:04.485052 x.x.x.x:x -> x.x.x.x:x
TCP TTL:61 TOS:0x0 ID:8156 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x3A06EAD7 Ack: 0x1C79621 Win: 0x16A0 TcpLen: 32
TCP Options (3) =3D> NOP NOP TS: 289010955 350830403

=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3 D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= 3D+=3D+=3D+=3D+=3D+=3D+

09/16/05-12:46:04.485052 x.x.x.x:x -> x.x.x.x:x
TCP TTL:61 TOS:0x0 ID:8156 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x3A06EAD7 Ack: 0x1C79621 Win: 0x16A0 TcpLen: 32
TCP Options (3) =3D> NOP NOP TS: 289010955 350830403

=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3 D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= 3D+=3D+=3D+=3D+=3D+=3D+

[**] Tagged Packet [**]
09/16/05-12:46:04.485627 x.x.x.x:x -> x.x.x.x:x
TCP TTL:61 TOS:0x0 ID:8157 IpLen:20 DgmLen:190 DF
***AP*** Seq: 0x3A06EAD7 Ack: 0x1C79621 Win: 0x16A0 TcpLen: 32
TCP Options (3) =3D> NOP NOP TS: 289010955 350830403
16 03 01 00 4A 02 00 00 46 03 01 43 2A 3F FC 5A ....J...F..C*?.Z
50 74 31 9F 8D F3 8F 57 9E 4D DD 62 A4 4C 5F 71 Pt1....W.M.b.L_q
9E B9 0A 4B FC 9B E2 A2 39 DE 7D 20 6C 25 C2 3F ...K....9.} l%.?
C1 CA FE 1D 5B 6F CE D5 63 E2 12 63 0C F8 2F 92 ....[o..c..c../.
72 A3 F9 88 74 5A E3 AA D2 92 CB FE 00 39 00 14 r...tZ.......9..
03 01 00 01 01 16 03 01 00 30 74 05 1B A4 A5 CC .........0t.....
E9 17 8A 4A B8 94 EE CC 82 28 90 07 16 44 B7 FE ...J.....(...D..
3C F0 72 48 48 89 AE EB D4 1A E0 C5 E5 2F F1 CE <.rHH......../..
BD F2 72 56 41 8E D1 94 CA E4 ..rVA.....

=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3 D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= 3D+=3D+=3D+=3D+=3D+=3D+

09/16/05-12:46:04.485627 x.x.x.x:x -> x.x.x.x:x
TCP TTL:61 TOS:0x0 ID:8157 IpLen:20 DgmLen:190 DF
***AP*** Seq: 0x3A06EAD7 Ack: 0x1C79621 Win: 0x16A0 TcpLen: 32
TCP Options (3) =3D> NOP NOP TS: 289010955 350830403
16 03 01 00 4A 02 00 00 46 03 01 43 2A 3F FC 5A ....J...F..C*?.Z
50 74 31 9F 8D F3 8F 57 9E 4D DD 62 A4 4C 5F 71 Pt1....W.M.b.L_q
9E B9 0A 4B FC 9B E2 A2 39 DE 7D 20 6C 25 C2 3F ...K....9.} l%.?
C1 CA FE 1D 5B 6F CE D5 63 E2 12 63 0C F8 2F 92 ....[o..c..c../.
72 A3 F9 88 74 5A E3 AA D2 92 CB FE 00 39 00 14 r...tZ.......9..
03 01 00 01 01 16 03 01 00 30 74 05 1B A4 A5 CC .........0t.....
E9 17 8A 4A B8 94 EE CC 82 28 90 07 16 44 B7 FE ...J.....(...D..
3C F0 72 48 48 89 AE EB D4 1A E0 C5 E5 2F F1 CE <.rHH......../..
BD F2 72 56 41 8E D1 94 CA E4 ..rVA.....

=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3 D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+= 3D+=3D+=3D+=3D+=3D+=3D+

--=20
__________________________________________________ _________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode