Two New Tools in Snort

No sooner do I get Snort 2.9.0.1 running than something breaks. However, thanks to Niels Horn I know a little more about two new tools included with Snort.

First is u2spewfoo, which reads Unified2 output files and outputs them as text.

[sguil@r200a /nsm/r200a]$ u2spewfoo snort.unified2.1289360307 | head -20

(Event)
sensor id: 0 event id: 1 event second: 1289360859 event microsecond: 881345
sig id: 2011032 gen id: 1 revision: 4 classification: 3
priority: 2 ip source: 192.168.2.107 ip destination: 172.16.2.1
src port: 44597 dest port: 3128 protocol: 6 impact_flag: 0 blocked: 0

Packet
sensor id: 0 event id: 1 event second: 1289360859
packet second: 1289360859 packet microsecond: 881345
linktype: 1 packet_length: 1168
00 15 17 0B | 7D 4C 00 13 | 10 65 2F AC | 08 00 45 00
04 82 C2 E3 | 40 00 3F 06 | 03 6E C0 A8 | 02 6B AC 10
02 01 AE 35 | 0C 38 73 6F | 02 7F 12 37 | D9 A8 80 18
03 EA 6D 85 | 00 00 01 01 | 08 0A 01 2A | 34 44 75 11
33 8C 41 46 | 69 72 73 74 | 25 32 43 25 | 32 30 49 25
32 30 74 65 | 73 74 65 64 | 25 32 30 6D | 79 25 32 30
6F 6C 64 25 | 32 30 73 63 | 72 69 70 74 | 73 25 32 30
6F 6E 25 32 | 30 46 72 65 | 65 42 53 44 | 25 32 30 37
2E 78 25 32 | 43 25 32 30 | 61 6E 64 25 | 32 30 6E 6F

I guess that's good for troubleshooting. It feels a little like 1999!

The second tool is u2boat, which transforms the pcap data in a Unified2 output file into a normal pcap file.

[sguil@r200a /nsm/r200a]$ u2boat snort.unified2.1289360307
Usage: u2boat [-t type]
[sguil@r200a /nsm/r200a]$ u2boat snort.unified2.1289360307 snort.unified2.1289360307.pcap
Defaulting to pcap output.
[sguil@r200a /nsm/r200a]$ file snort.unified2.1289360307.pcap
snort.unified2.1289360307.pcap: tcpdump capture file (little-endian)
- version 2.4 (Ethernet, capture length 65535)
[sguil@r200a /nsm/r200a]$ tcpdump -n -r snort.unified2.1289360307.pcap
reading from file snort.unified2.1289360307.pcap, link-type EN10MB (Ethernet)
22:47:39.881345 IP 192.168.2.107.44597 > 172.16.2.1.3128: Flags [P.],
ack 305650088, win 1002, options [nop,nop,TS val 19543108 ecr 1964061580], length 1102

So those are great, but fortunately unless I fix Barnyard2 or a fix is committed, Barnyard2 is going to die when it encounters record types from Snort that Barnyard2 doesn't recognize, e.g.:

r200a# barnyard2 -U -d /nsm/r200a -f snort.unified2 -c /usr/local/etc/nsm/barnyard2.conf
Running in Continuous mode

--== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/usr/local/etc/nsm/barnyard2.conf"
Log directory = /var/log/barnyard2
sguil: sensor name = r200a
sguil: agent port = 7735
sguil: Connected to localhost on 7735.

--== Initialization Complete ==--

______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.8 (Build 251)
|o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php
+ '''' + (C) Copyright 2008-2010 SecurixLive.

Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/nsm/r200a/waldo':
spool directory = /nsm/r200a
spool filebase = snort.unified2
time_stamp = 1289360307
record_idx = 4
Opened spool file '/nsm/r200a/snort.unified2.1289360307'
ERROR: Unknown record type read: 110
Fatal Error, Quitting..

The good news is the alerts will continue to be logged to disk, and can be processed once Barnyard2 can read them.

Comments

Martin said…
For the adventurous, there is also Sourcefire's very own Jason Brevenik's Perl module for reading Unified2: http://www.snort.org/users/jbrvenik/Site/Blog/Entries/2007/10/21_Merry_Christmas_%28or_whatever_you_like%29.html . I've used it to craft my own drop-in replacement for barnyard with the flexibility and power of Perl.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics