• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

ParserFormattedSnort error

jferrerojferrero

Entry Level
edited August 2012 in AlienVault USM Appliance > Sensor
Hello,

I am deploying Ossim v4 and I have some troubles with Snort parser. From time to time the agent stops sending snort events due to this error:

2012-08-03 14:44:46,796 ParserFormattedSnort [ERROR]: Unknown record type: 2015482

I analyzed unified2 with u2spewfoo and that packet is correctly logged by  snort:

(Event)
        sensor id: 0    event id: 52147 event second: 1343997885        event microsecond: 296475
        sig id: 2015482 gen id: 1       revision: 1      classification: 21
        priority: 1     ip source: xxx.xxx.xxx.xxx      ip destination: yyy.yyy.yyy.yyy
        src port: 15633 dest port: 16464        protocol: 17    impact_flag: 0  blocked: 0

Packet
        sensor id: 0    event id: 52147 event second: 1343997885
        packet second: 1343997885       packet microsecond: 296475
        linktype: 1     packet_length: 60
[    0] 00 90 69 71 C6 9D 00 08 E3 FF FC 04 08 00 45 00  ..iq..........E.
[   16] 00 2C 57 CA 00 00 7C 11 36 91 C1 92 7B E2 73 F2  .,W...|.6...{.s.
[   32] FE FE 3D 11 40 50 00 18 AC A5 B0 50 68 E3 28 94  ..=.@P.....Ph.(.
[   48] 8D AB C9 C0 D1 99 4D C3 6C BF 00 00              ......M.l...

When this error occurs, the snort parser stops sending events although ossim-agent continues running.

Thanks,

Share post:

This discussion has been closed.