[Snort-devel] Logging to DB it's done differently than to a file.

Bruno G. San Alejo bgonzalez at ...3012...
Mon Mar 16 08:07:07 EDT 2009


    Hi everyone. I prepared a fix for BASE for this issue. Now it shows
the gateway's IP right. It's a little of a mess and the problem is that
it doesn't differentiate between a host with third byte as x00 and a
network address. I guess that this issue should be solved in Snort by
not logging the ID and seq# for ICMP redirect packets and logging the
actual gateway's IP in the right field. Though that would mean I'd have
to go back and change my little contribution to BASE. :)

    Thanks.


Bruno G. San Alejo wrote:
>     Hi Steven, I see your point. It is definetly better to do it at the
> BASE/post-processing software. It's just that I thought about pointing
> this issue out. And since I'm not much into PHP I thought this would be
> solved in Snort rather than BASE.
>
>     I think the BASE guys think that the ID and the seq# are there to be
> extracted and shown. Definetly the gateway's extraction is not right so
> I'll see if I can come up with something to get the right field and then
> see if they wanna add it to BASE.
>
>     Thanks.
>
>
>
> Steven Sturges wrote:
>   
>> Hi Bruno--
>>
>> The other 4 types that have nothing in those 4 bytes where
>> the Redirect has the gateway IP address, so they skip past
>> it to get to the embedded IP header.
>>
>> The gateway address for the redirect is avilable via the
>> union that is defined in the ICMPHdr structure.  It is in
>> the same place as the id/seq bytes for other types, so
>> the data is there, just logged in a strange way.
>>
>> It sounds like, based on the icmp_type, you want it to log
>> a 32 bit value, rather than 2 16 bit values?  Can you convert
>> them on the back-end in BASE or some other post-processing
>> software?
>>
>> A change to the database logging for Snort would also require
>> a schema change.
>>
>> Cheers
>> -steve
>>
>> Bruno G. San Alejo wrote:
>>   
>>     
>>> Hi, I have found how Snort logs to a file and to the DB and maybe it's
>>> the cause of why I seem to have ICMP redirect packages with the wrong
>>> gateway's IP.
>>>
>>>     To make a really long story short, when logging to a file Snort uses
>>> the pcap_dump() function than (if I'm not mistaken) logs the packet as
>>> it gets it from Snort. When logging to the DB, the ICMP packet gets
>>> parsed and the insert is as follows in the Database() func:
>>>
>>> ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH,
>>>                                             "INSERT INTO "
>>>                                             "icmphdr (sid, cid,
>>> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) "
>>>                                             "VALUES (%u,%u,%u,%u,%u,%u,%u)",
>>>                                             data->shared->sid,
>>> data->shared->cid, p->icmph->type,
>>>                                             p->icmph->code,
>>> ntohs(p->icmph->csum),
>>>                                             ntohs(p->icmph->s_icmp_id),
>>> ntohs(p->icmph->s_icmp_seq));
>>>
>>> Note the references to p->icmph->s_icmp_seq and p->icmph->s_icmp_id.
>>> Now, ICMP redirect packets don't have those fields, they have the
>>> gateway's IP instead.
>>>
>>>     Since the packets are not "decoded" but the actual packet is laid
>>> over the Packet struct which contains unions, those fields have data,
>>> though not valid one. Maybe the IP for the gateway is there.
>>>
>>>     The result is that when I see the Snort logged packets in pcap
>>> format, they are correct, but the ones seen through BASE or saved to
>>> pcap through BASE, are not. The ones shown through BASE have wrong
>>> gateway's IPs. Also, BASE gets the gateway's IP from someplace else
>>> which I think is not the IP. So, that is an issue also.
>>>
>>>     I'm sorry to be a pain in the neck with this issue but I would like
>>> someone to correct me or maybe there is something to be solved in here.
>>>
>>>     Thanks.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
>>> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
>>> -Strategies to boost innovation and cut costs with open source participation
>>> -Receive a $600 discount off the registration fee with the source code: SFAD
>>> http://p.sf.net/sfu/XcvMzF8H
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>>     
>>>       
>>   
>>     
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>   





More information about the Snort-devel mailing list