[Snort-devel] snort-1.9.0b6 and barnyard discrepancies

Andreas Hasenack andreas at ...836...
Thu Aug 22 12:58:03 EDT 2002


I have a tcpdump file generated by snort 1.9.0b6 with a network
trace that is different from what got inserted in the mysql
database. Quite different.

from the sql database:
590 : 6C 74 3D 22 43 6F 6D 70 72 65 20 31 20 27 50 6C   lt="Compre 1 'Pl
5a0 : 61 63 61 20 56 69 64 65 6F 20 56 47 41 20 2D 20   aca Video VGA - 
5b0 : 52 69 76 61 20 54 4E 54 32 20 4D 36 34 20 2D 33   Riva TNT2 M64 -3
5c0 : 32 4D 42 20 54 56 27 0D 0A 61 67 6F 72 61 22 0D   2MB TV'..agora".
5d0 : 0A 73 72 63 3D 22 0C EB 0C EB 0C EB 0C EB 0C EB   .src="..........
5e0 : 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB   ................
5f0 : 0C EB 0C 5D 22 3B 20 66 69 6C 65 6E 61 6D 65 3D   ...]"; filename=
600 : 22 61 22 0D 0A 0D 0A 2D 2D 68 15 0D 0A 43 6F 6E   "a"....--h...Con
610 : 74 65 6E 74 2D 44 69 73 70 6F 73 69 74 69 6F 6E   tent-Disposition
620 : 3A 20 66 6F 72 6D 2D 64 61 74 61 3B 20 6E 61 6D   : form-data; nam
630 : 65 3D 22 61 22 0D 0A 2E 0A 0D 20 EB 0C EB 0C EB   e="a"..... .....
640 : 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB   ................
650 : 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB   ................
660 : 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB   ................
670 : 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB   ................
(...) (much more)

from the tcpdump file:
0x0560   0a20 2020 2020 2020 2020 2020 203c 696d        .............<im
0x0570   6720 7469 746c 653d 2220 436f 6d70 7265        g.title=".Compre
0x0580   2031 2027 506c 6163 6120 5669 6465 6f20        .1.'Placa.Video.
0x0590   5647 4120 2d20 5269 7661 2054 4e54 3220        VGA.-.Riva.TNT2.
0x05a0   4d36 3420 2d33 324d 420d 0a54 5627 2061        M64.-32MB..TV'.a
0x05b0   676f 7261 2022 2061 6c74 3d22 436f 6d70        gora.".alt="Comp
0x05c0   7265 2031 2027 506c 6163 6120 5669 6465        re.1.'Placa.Vide
0x05d0   6f20 5647 4120 2d20 5269 7661                  o.VGA.-.Riva

(sure, the indexes "590" won't match, acid shows the payload only while
tcpdump is counting the headers as well)

It stops here. There seems to be some overlapping going on.
Furthermore, what triggered the alert were the EB0C sequences
("SHELLCODE x86 EB OC NOOP" signature), so, at some point, snort
really saw this and triggered the alert, even though the data in the
tcpdump file does not have it.

To insert this data into mysql I used barnyard rc2. I'll try to generate
another pcap file from the unified plugin output, with barnyard, and see
what I get.

It's weird.




More information about the Snort-devel mailing list