[Snort-users] Snort+MySql=OK. But why...

Nathan Spande NSpande at ...620...
Tue Nov 21 11:59:18 EST 2000


This is something that has tricked us in the past as well.  Basically, the
problem is that snort doesn't know who OPENED the TCP connection, it just
know what the IP packet has as a source and a dest.  So if the rule matches
on the response, then the log will show the source as what you would think
of as the dest, and the dest as what you would think of as the source.  One
of the only things that really bugs me about snort.  Of course, probably as
a result of this, you can get some very impressive performance out of it :)

Nathan

-----Original Message-----
From: Johan.Augustsson [mailto:Johan.Augustsson at ...796...]
Sent: Tuesday, November 21, 2000 8:58 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort+MySql=OK. But why...


I'm tired and confused, I might also be stupid but I can't figure out one 
thing here.

I'm running Snort 1.6.3 and stores the log into a MySQL database, the very 
same that you could do with the database-plugin. And it works. It works 
very well and all the things I want into the database is stored there. But 
it seams to me like Snort sometimes is puting some of the data in wrong 
fields. If the host 1.2.3.4 tries to telnet my box (6.7.8.9) Snort stores 
1.2.3.4 in ip_dest0-3 and 6.7.8.9 in ip_src0-3 and port 23 is stored in 
th_sport in tcphdr. As I said, I might be a major airhead here but as I see 
it the contacting host is the source and  1.2.3.4 should end up in 
ip_src0-3. I could have bought this and just keept going if it wasn't for 
that it sometimes logs source-addresses as ip_src0-3.

If some host sends me an echo-request (ping), Snort will log the hosts 
ip-address as ip_src0-1 and my box as ip_dst0-3
Two scenarios where traffic is sent to me but in one case Snort logs the 
source as ip_dst0-3 and in the other case as ip_src0-3.

Ok... Can it has to do with the fact that it's two different protocolls, 
TCP and ICMP?
Nope. I got a SCAN-SYN FIN (port 111-111) followed by a RPC-query (111-894) 
and how did Snort log this then...?
The host who did the scan was registred as ip_src0-3 and my box as 
ip_dst0-3 just the way I want it.

But both telnet- and ftp-connections are loged the oposit way.
Why...?

/Johan

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users



More information about the Snort-users mailing list