[Snort-devel] snort-1.9.0b6 and barnyard discrepancies

Andreas Hasenack andreas at ...836...
Fri Aug 23 07:26:05 EDT 2002


Em Fri, Aug 23, 2002 at 08:47:34AM -0500, Steve Halligan escreveu:
> Dragos released a tool that converts a unified log/alert file directly into
> a tcpdump/pcap capture.
> Try running it on the unified file and see if it is the culprit, or if
> Barnyard is somehow mangling it.

I'll be damned...

tcpdump doesn't show the garbage in the file, I don't know why. But
ethereal and tethereal do show it, the same way as the ascii output
(or sql output) from barnyard does.

tcpdump's output (using tcpdump -r file):
(...)
0x0570   6720 7469 746c 653d 2220 436f 6d70 7265        g.title=".Compre
0x0580   2031 2027 506c 6163 6120 5669 6465 6f20        .1.'Placa.Video.
0x0590   5647 4120 2d20 5269 7661 2054 4e54 3220        VGA.-.Riva.TNT2.
0x05a0   4d36 3420 2d33 324d 420d 0a54 5627 2061        M64.-32MB..TV'.a
0x05b0   676f 7261 2022 2061 6c74 3d22 436f 6d70        gora.".alt="Comp
0x05c0   7265 2031 2027 506c 6163 6120 5669 6465        re.1.'Placa.Vide
0x05d0   6f20 5647 4120 2d20 5269 7661                  o.VGA.-.Riva

tethereal's output (with -V):
(...)
    Message: TV' agora " alt="Compre 1 'Placa Video VGA - Riva TNT2 M64 -32MB TV'\r\n
    Message: agora"\r\n
    Message: src="\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\f]"; filename="a"\r\n
    Message: \r\n
    Message: --h\025\r\n
    Message: Content-Disposition: form-data; name="a"\r\n
    Message: .\n
    Message: \r
    Message:  ë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\f
ë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\fë\
fë\fë\fë\fë\fë\fë\fë\fë
    Message: alt="C


So it seems the tcpdump capture file DOES indeed contain this garbage and
it was indeed generated by snort. I'll send the files to Cris.





More information about the Snort-devel mailing list