As it turns out, I'm using a somewhat older version of Snort (v2.43) becuase it
was the only version I could get to compile with the SnortSam plugin. I have
Snort logging alerts in the alert_fast format. (Actually, I have Snort logging
in unified format with Barnyard converting that to alert_fast format.) For
testing purposes, I created a Snort rule to trigger an alert on any web
traffic. The problem occurs with all Snort alerts, not just the ones generated
by my test rule. Here is the Snort rule, if it matters:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"TEST RULE";)
Here is a sample of alerts generated by this rule in /var/log/snort/fast.alert:
------------------------------------------------------------------------
11/13/06-15:20:32.299936 {TCP} 216.129.113.10:80 -> 10.11.10.26:12955
[**] [1:0:0] Snort Alert [1:0:0] [**]
[Classification: Unknown] [Priority: 0]
------------------------------------------------------------------------
11/13/06-15:20:32.404891 {TCP} 216.129.113.10:80 -> 10.11.10.26:12955
[**] [1:0:0] Snort Alert [1:0:0] [**]
[Classification: Unknown] [Priority: 0]
------------------------------------------------------------------------
11/13/06-15:20:49.128265 {TCP} 216.129.113.10:80 -> 10.11.10.26:12955
[**] [1:0:0] Snort Alert [1:0:0] [**]
[Classification: Unknown] [Priority: 0]
------------------------------------------------------------------------
11/13/06-15:20:49.243513 {TCP} 216.129.113.10:80 -> 10.11.10.26:12955
[**] [1:0:0] Snort Alert [1:0:0] [**]
[Classification: Unknown] [Priority: 0]
------------------------------------------------------------------------
11/13/06-15:20:49.337367 {TCP} 216.129.113.10:80 -> 10.11.10.26:12955
[**] [1:0:0] Snort Alert [1:0:0] [**]
[Classification: Unknown] [Priority: 0]
------------------------------------------------------------------------
And, finally, here are the alerts from OSSEC for the same 5 alerts shown above:
-----START OSSEC ALERTS-----
** Alert 1163452850.18292:
2006 Nov 13 15:20:50 infosec2->/var/log/snort/fast.alert
Rule: 20101 (level 6) -> 'IDS event.'
Src IP: (none)
User: (none)
[**] [1:0:0] Snort Alert [1:0:0] [**]
** Alert 1163452850.18481:
2006 Nov 13 15:20:50 infosec2->/var/log/snort/fast.alert
Rule: 20101 (level 6) -> 'IDS event.'
Src IP: (none)
User: (none)
[**] [1:0:0] Snort Alert [1:0:0] [**]
** Alert 1163452854.18670:
2006 Nov 13 15:20:54 infosec2->/var/log/snort/fast.alert
Rule: 20101 (level 6) -> 'IDS event.'
Src IP: (none)
User: (none)
[**] [1:0:0] Snort Alert [1:0:0] [**]
** Alert 1163452854.18859:
2006 Nov 13 15:20:54 infosec2->/var/log/snort/fast.alert
Rule: 20101 (level 6) -> 'IDS event.'
Src IP: (none)
User: (none)
[**] [1:0:0] Snort Alert [1:0:0] [**]
** Alert 1163452854.19048:
2006 Nov 13 15:20:54 infosec2->/var/log/snort/fast.alert
Rule: 20101 (level 6) -> 'IDS event.'
Src IP: (none)
User: (none)
[**] [1:0:0] Snort Alert [1:0:0] [**]
-----END OSSEC ALERTS-----
Also, it looks as though the Snort decoder is supposed to be grabbing the
destination IP, too, is that true? If that is the case, will that information
automatically be included in the alerts.log?
Thanks in advance for any help anyone cares to provide.
Kurt
perl -e "($_='tjgvlvsuAzbipp/dpn')=~s/(.)/chr(ord($1)-1)/ge;print"
-----
Society doesn't understand me and technology fears me.
----- Original Message ----
From: Daniel Cid <[EMAIL PROTECTED]>
To: [email protected]
Cc: Kurt <[EMAIL PROTECTED]>
Sent: Sunday, November 12, 2006 11:06:45 PM
Subject: [ossec-list] Re: Snort Decoder
Hi Kurt,
It can be a problem in the decoder or somewhere else (maybe the latest
version of
snort has a different alert format? I never tried snort 2.6). Can you
show us the full
alert (including the snort log) that is not picking up the source ip?
thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 11/10/06, Kurt <[EMAIL PROTECTED]> wrote:
>
> Does anyone have any ideas why the Snort decoder doesn't seem to be picking
> up the source IP address? In the alerts.log, it shows "Src IP: (None)". Could
> it be a problem with the regular expression in the decoder.xml file?
>
> Thanks for your help.
>
> Kurt
> perl -e "($_='tjgvlvsuAzbipp/dpn')=~s/(.)/chr(ord($1)-1)/ge;print"
> -----
> Society doesn't understand me and technology fears me.
>
>
>
>
>
> ____________________________________________________________________________________
> Do you Yahoo!?
> Everyone is raving about the all-new Yahoo! Mail beta.
> http://new.mail.yahoo.com
>
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com
