[Snort-devel] Re: [Snort-users] Barnyard and ACID question

roel at ...60... roel at ...60...
Mon Nov 5 16:13:27 EST 2001


Looks like a byteswap somewhere, guessing a ntohs()/htons() missing somewhere.

80 -> 0x50
20480 -> 0x5000

57561 -> 0xe0d9
55776 -> 0xd9e0

Curiosity what platform are you running this on? (I'm guessing this only occurs
on either big endian or little endian machines, but not both.)


PS. Apologize for the cross post to snort-develop, but I think that's were
the people are that need to know.

> I'm noticing some problems with barnyard and the mysql output plugin.  
> After some correlation, here's the real headers for the event (from the
> barnyard log output plugin)
> [**] [1:1002:1] WEB-IIS cmd.exe access [**]
> [Classification: Attempted User Privilege Gain] [Priority: 8]
> Event ID: 692     Event Reference: 0
> 11/03/01-11:34:37.020121 a.b.c.130:55776 -> x.y.z.64:80
> TCP TTL:50 TOS:0x0 ID:37849 IpLen:20 DgmLen:208 DF
> ***AP*** Seq: 0x6CA76E65  Ack: 0x636CB06B  Win: 0x2238  TcpLen: 32
> For some reason, when using the mysql output plugin in barnyard, the source
> port is being munged from the correct 55776 to 57561, and the destination
> port from 80 to 20480.  I've confirmed that this is the data that is being
> inserted into mysql (as opposed to it being an ACID display problem).
> This is consistant across all alerts being inserted into mysql (as far as I
> can tell)
> Is this a known bug?

More information about the Snort-devel mailing list