[Snort-devel] Logging to DB it's done differently than to a file.
Bruno G. San Alejo
bgonzalez at ...3012...
Wed Mar 4 11:14:24 EST 2009
Hi Steven, I see your point. It is definetly better to do it at the
BASE/post-processing software. It's just that I thought about pointing
this issue out. And since I'm not much into PHP I thought this would be
solved in Snort rather than BASE.
I think the BASE guys think that the ID and the seq# are there to be
extracted and shown. Definetly the gateway's extraction is not right so
I'll see if I can come up with something to get the right field and then
see if they wanna add it to BASE.
Steven Sturges wrote:
> Hi Bruno--
> The other 4 types that have nothing in those 4 bytes where
> the Redirect has the gateway IP address, so they skip past
> it to get to the embedded IP header.
> The gateway address for the redirect is avilable via the
> union that is defined in the ICMPHdr structure. It is in
> the same place as the id/seq bytes for other types, so
> the data is there, just logged in a strange way.
> It sounds like, based on the icmp_type, you want it to log
> a 32 bit value, rather than 2 16 bit values? Can you convert
> them on the back-end in BASE or some other post-processing
> A change to the database logging for Snort would also require
> a schema change.
> Bruno G. San Alejo wrote:
>> Hi, I have found how Snort logs to a file and to the DB and maybe it's
>> the cause of why I seem to have ICMP redirect packages with the wrong
>> gateway's IP.
>> To make a really long story short, when logging to a file Snort uses
>> the pcap_dump() function than (if I'm not mistaken) logs the packet as
>> it gets it from Snort. When logging to the DB, the ICMP packet gets
>> parsed and the insert is as follows in the Database() func:
>> ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH,
>> "INSERT INTO "
>> "icmphdr (sid, cid,
>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) "
>> "VALUES (%u,%u,%u,%u,%u,%u,%u)",
>> data->shared->cid, p->icmph->type,
>> Note the references to p->icmph->s_icmp_seq and p->icmph->s_icmp_id.
>> Now, ICMP redirect packets don't have those fields, they have the
>> gateway's IP instead.
>> Since the packets are not "decoded" but the actual packet is laid
>> over the Packet struct which contains unions, those fields have data,
>> though not valid one. Maybe the IP for the gateway is there.
>> The result is that when I see the Snort logged packets in pcap
>> format, they are correct, but the ones seen through BASE or saved to
>> pcap through BASE, are not. The ones shown through BASE have wrong
>> gateway's IPs. Also, BASE gets the gateway's IP from someplace else
>> which I think is not the IP. So, that is an issue also.
>> I'm sorry to be a pain in the neck with this issue but I would like
>> someone to correct me or maybe there is something to be solved in here.
>> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
>> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
>> -Strategies to boost innovation and cut costs with open source participation
>> -Receive a $600 discount off the registration fee with the source code: SFAD
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
More information about the Snort-devel