[Snort-devel] [ snort-Bugs-549962 ] snortdb-extra FLAGS table errors

noreply at ...12... noreply at ...12...
Thu May 2 09:53:07 EDT 2002


Bugs item #549962, was opened at 2002-04-28 19:17
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=549962&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Ian Duffy (duffian)
Assigned to: Nobody/Anonymous (nobody)
Summary: snortdb-extra FLAGS table errors

Initial Comment:
It appears that the FLAGS table that is created by 
snortdb-extra has inaccurate values for the acutal 
flag values when queried by the flags #. The issue is 
this: When logging alerts to XML, the FLAGS attribute 
has a specific number. When this number is queried 
against the FLAGS table in the SQL database, it 
returns flags that do not correspond to the flags that 
were related to the alert signature. It appears that 
the binary flags were read in backwards -- i.e. bit 0 
in the database is the RES1 bit, when it should be the 
FIN bit. The example that I noticed this with was 
the "SCAN Proxy Attempt", which returns a flags number 
of 2. When you query the Flags table in the SQL 
database that was generated by using the snortdb-extra 
script, it returns a value showing the RES2 bit set, 
when it should have been the SYN bit (because the 
signature is written to alert on traffic with the SYN 
bit set). If you look carefully, it appears that the 
flags in the database are backwards.

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=549962&group_id=3357




More information about the Snort-devel mailing list