[Snort-users] Snort+MySql=OK. But why...

Johan.Augustsson Johan.Augustsson at ...796...
Tue Nov 21 08:58:17 EST 2000


I'm tired and confused, I might also be stupid but I can't figure out one 
thing here.

I'm running Snort 1.6.3 and stores the log into a MySQL database, the very 
same that you could do with the database-plugin. And it works. It works 
very well and all the things I want into the database is stored there. But 
it seams to me like Snort sometimes is puting some of the data in wrong 
fields. If the host 1.2.3.4 tries to telnet my box (6.7.8.9) Snort stores 
1.2.3.4 in ip_dest0-3 and 6.7.8.9 in ip_src0-3 and port 23 is stored in 
th_sport in tcphdr. As I said, I might be a major airhead here but as I see 
it the contacting host is the source and  1.2.3.4 should end up in 
ip_src0-3. I could have bought this and just keept going if it wasn't for 
that it sometimes logs source-addresses as ip_src0-3.

If some host sends me an echo-request (ping), Snort will log the hosts 
ip-address as ip_src0-1 and my box as ip_dst0-3
Two scenarios where traffic is sent to me but in one case Snort logs the 
source as ip_dst0-3 and in the other case as ip_src0-3.

Ok... Can it has to do with the fact that it's two different protocolls, 
TCP and ICMP?
Nope. I got a SCAN-SYN FIN (port 111-111) followed by a RPC-query (111-894) 
and how did Snort log this then...?
The host who did the scan was registred as ip_src0-3 and my box as 
ip_dst0-3 just the way I want it.

But both telnet- and ftp-connections are loged the oposit way.
Why...?

/Johan




More information about the Snort-users mailing list