[Snort-devel] Logging to DB it's done differently than to a file.

Bruno G. San Alejo bgonzalez at ...3012...
Wed Mar 4 11:14:24 EST 2009


    Hi Steven, I see your point. It is definetly better to do it at the
BASE/post-processing software. It's just that I thought about pointing
this issue out. And since I'm not much into PHP I thought this would be
solved in Snort rather than BASE.

    I think the BASE guys think that the ID and the seq# are there to be
extracted and shown. Definetly the gateway's extraction is not right so
I'll see if I can come up with something to get the right field and then
see if they wanna add it to BASE.

    Thanks.



Steven Sturges wrote:
> Hi Bruno--
>
> The other 4 types that have nothing in those 4 bytes where
> the Redirect has the gateway IP address, so they skip past
> it to get to the embedded IP header.
>
> The gateway address for the redirect is avilable via the
> union that is defined in the ICMPHdr structure.  It is in
> the same place as the id/seq bytes for other types, so
> the data is there, just logged in a strange way.
>
> It sounds like, based on the icmp_type, you want it to log
> a 32 bit value, rather than 2 16 bit values?  Can you convert
> them on the back-end in BASE or some other post-processing
> software?
>
> A change to the database logging for Snort would also require
> a schema change.
>
> Cheers
> -steve
>
> Bruno G. San Alejo wrote:
>   
>> Hi, I have found how Snort logs to a file and to the DB and maybe it's
>> the cause of why I seem to have ICMP redirect packages with the wrong
>> gateway's IP.
>>
>>     To make a really long story short, when logging to a file Snort uses
>> the pcap_dump() function than (if I'm not mistaken) logs the packet as
>> it gets it from Snort. When logging to the DB, the ICMP packet gets
>> parsed and the insert is as follows in the Database() func:
>>
>> ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH,
>>                                             "INSERT INTO "
>>                                             "icmphdr (sid, cid,
>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) "
>>                                             "VALUES (%u,%u,%u,%u,%u,%u,%u)",
>>                                             data->shared->sid,
>> data->shared->cid, p->icmph->type,
>>                                             p->icmph->code,
>> ntohs(p->icmph->csum),
>>                                             ntohs(p->icmph->s_icmp_id),
>> ntohs(p->icmph->s_icmp_seq));
>>
>> Note the references to p->icmph->s_icmp_seq and p->icmph->s_icmp_id.
>> Now, ICMP redirect packets don't have those fields, they have the
>> gateway's IP instead.
>>
>>     Since the packets are not "decoded" but the actual packet is laid
>> over the Packet struct which contains unions, those fields have data,
>> though not valid one. Maybe the IP for the gateway is there.
>>
>>     The result is that when I see the Snort logged packets in pcap
>> format, they are correct, but the ones seen through BASE or saved to
>> pcap through BASE, are not. The ones shown through BASE have wrong
>> gateway's IPs. Also, BASE gets the gateway's IP from someplace else
>> which I think is not the IP. So, that is an issue also.
>>
>>     I'm sorry to be a pain in the neck with this issue but I would like
>> someone to correct me or maybe there is something to be solved in here.
>>
>>     Thanks.
>>
>>
>> ------------------------------------------------------------------------------
>> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
>> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
>> -Strategies to boost innovation and cut costs with open source participation
>> -Receive a $600 discount off the registration fee with the source code: SFAD
>> http://p.sf.net/sfu/XcvMzF8H
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>>     
>
>   





More information about the Snort-devel mailing list