Two New Tools in Snort ~ SecurityCertified

No sooner do I get Snort 2.9.0.1 running than something breaks. However, thanks to Niels Horn I know a little more about two new tools included with Snort.

First is u2spewfoo, which reads Unified2 output files and outputs them as text.


[sguil@r200a /nsm/r200a]$ u2spewfoo snort.unified2.1289360307  | head -20

(Event)
 sensor id: 0 event id: 1 event second: 1289360859 event microsecond: 881345
 sig id: 2011032 gen id: 1 revision: 4  classification: 3
 priority: 2 ip source: 192.168.2.107 ip destination: 172.16.2.1
 src port: 44597 dest port: 3128 protocol: 6 impact_flag: 0 blocked: 0

Packet
 sensor id: 0 event id: 1 event second: 1289360859
 packet second: 1289360859 packet microsecond: 881345
 linktype: 1 packet_length: 1168
00 15 17 0B | 7D 4C 00 13 | 10 65 2F AC | 08 00 45 00 
04 82 C2 E3 | 40 00 3F 06 | 03 6E C0 A8 | 02 6B AC 10 
02 01 AE 35 | 0C 38 73 6F | 02 7F 12 37 | D9 A8 80 18 
03 EA 6D 85 | 00 00 01 01 | 08 0A 01 2A | 34 44 75 11 
33 8C 41 46 | 69 72 73 74 | 25 32 43 25 | 32 30 49 25 
32 30 74 65 | 73 74 65 64 | 25 32 30 6D | 79 25 32 30 
6F 6C 64 25 | 32 30 73 63 | 72 69 70 74 | 73 25 32 30 
6F 6E 25 32 | 30 46 72 65 | 65 42 53 44 | 25 32 30 37 
2E 78 25 32 | 43 25 32 30 | 61 6E 64 25 | 32 30 6E 6F

I guess that's good for troubleshooting. It feels a little like 1999!

The second tool is u2boat, which transforms the pcap data in a Unified2 output file into a normal pcap file.


[sguil@r200a /nsm/r200a]$ u2boat snort.unified2.1289360307        
Usage: u2boat [-t type]  
[sguil@r200a /nsm/r200a]$ u2boat snort.unified2.1289360307 snort.unified2.1289360307.pcap
Defaulting to pcap output.
[sguil@r200a /nsm/r200a]$ file snort.unified2.1289360307.pcap
snort.unified2.1289360307.pcap: tcpdump capture file (little-endian)
 - version 2.4 (Ethernet, capture length 65535)
[sguil@r200a /nsm/r200a]$ tcpdump -n -r snort.unified2.1289360307.pcap
reading from file snort.unified2.1289360307.pcap, link-type EN10MB (Ethernet)
22:47:39.881345 IP 192.168.2.107.44597 > 172.16.2.1.3128: Flags [P.],
 ack 305650088, win 1002, options [nop,nop,TS val 19543108 ecr 1964061580], length 1102

So those are great, but fortunately unless I fix Barnyard2 or a fix is committed, Barnyard2 is going to die when it encounters record types from Snort that Barnyard2 doesn't recognize, e.g.:


r200a# barnyard2 -U -d /nsm/r200a -f snort.unified2 -c /usr/local/etc/nsm/barnyard2.conf
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/usr/local/etc/nsm/barnyard2.conf"
Log directory = /var/log/barnyard2
sguil:  sensor name = r200a
sguil:  agent port =  7735
sguil:  Connected to localhost on 7735.

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.8 (Build 251)
 |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
 + '''' +  (C) Copyright 2008-2010 SecurixLive.

           Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/nsm/r200a/waldo':
    spool directory = /nsm/r200a
    spool filebase  = snort.unified2
    time_stamp      = 1289360307
    record_idx      = 4
Opened spool file '/nsm/r200a/snort.unified2.1289360307'
ERROR: Unknown record type read: 110
Fatal Error, Quitting..

The good news is the alerts will continue to be logged to disk, and can be processed once Barnyard2 can read them.

SecurityCertified

Tuesday, November 9, 2010

Two New Tools in Snort

0 comments:

Post a Comment

Popular Posts

Categories

Blog Archive

About Me