[Snort-users] Snort+MySql=OK. But why...
NSpande at ...620...
Tue Nov 21 11:59:18 EST 2000
This is something that has tricked us in the past as well. Basically, the
problem is that snort doesn't know who OPENED the TCP connection, it just
know what the IP packet has as a source and a dest. So if the rule matches
on the response, then the log will show the source as what you would think
of as the dest, and the dest as what you would think of as the source. One
of the only things that really bugs me about snort. Of course, probably as
a result of this, you can get some very impressive performance out of it :)
From: Johan.Augustsson [mailto:Johan.Augustsson at ...796...]
Sent: Tuesday, November 21, 2000 8:58 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort+MySql=OK. But why...
I'm tired and confused, I might also be stupid but I can't figure out one
I'm running Snort 1.6.3 and stores the log into a MySQL database, the very
same that you could do with the database-plugin. And it works. It works
very well and all the things I want into the database is stored there. But
it seams to me like Snort sometimes is puting some of the data in wrong
fields. If the host 126.96.36.199 tries to telnet my box (188.8.131.52) Snort stores
184.108.40.206 in ip_dest0-3 and 220.127.116.11 in ip_src0-3 and port 23 is stored in
th_sport in tcphdr. As I said, I might be a major airhead here but as I see
it the contacting host is the source and 18.104.22.168 should end up in
ip_src0-3. I could have bought this and just keept going if it wasn't for
that it sometimes logs source-addresses as ip_src0-3.
If some host sends me an echo-request (ping), Snort will log the hosts
ip-address as ip_src0-1 and my box as ip_dst0-3
Two scenarios where traffic is sent to me but in one case Snort logs the
source as ip_dst0-3 and in the other case as ip_src0-3.
Ok... Can it has to do with the fact that it's two different protocolls,
TCP and ICMP?
Nope. I got a SCAN-SYN FIN (port 111-111) followed by a RPC-query (111-894)
and how did Snort log this then...?
The host who did the scan was registred as ip_src0-3 and my box as
ip_dst0-3 just the way I want it.
But both telnet- and ftp-connections are loged the oposit way.
Snort-users mailing list
Snort-users at lists.sourceforge.net
More information about the Snort-users