[Snort-users] Snort+MySql=OK. But why...

Martin Roesch roesch at ...421...
Mon Nov 27 00:12:42 EST 2000


No state == very fast. :)  TCP stream reassembly is available in the latest
betas, but I don't think we log in terms of client->server or vice versa yet. 
This is something that probably wouldn't take too long to implement...

    -Marty

Nathan Spande wrote:
> 
> This is something that has tricked us in the past as well.  Basically, the
> problem is that snort doesn't know who OPENED the TCP connection, it just
> know what the IP packet has as a source and a dest.  So if the rule matches
> on the response, then the log will show the source as what you would think
> of as the dest, and the dest as what you would think of as the source.  One
> of the only things that really bugs me about snort.  Of course, probably as
> a result of this, you can get some very impressive performance out of it :)
> 
> Nathan
> 
> -----Original Message-----
> From: Johan.Augustsson [mailto:Johan.Augustsson at ...796...]
> Sent: Tuesday, November 21, 2000 8:58 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort+MySql=OK. But why...
> 
> I'm tired and confused, I might also be stupid but I can't figure out one
> thing here.
> 
> I'm running Snort 1.6.3 and stores the log into a MySQL database, the very
> same that you could do with the database-plugin. And it works. It works
> very well and all the things I want into the database is stored there. But
> it seams to me like Snort sometimes is puting some of the data in wrong
> fields. If the host 1.2.3.4 tries to telnet my box (6.7.8.9) Snort stores
> 1.2.3.4 in ip_dest0-3 and 6.7.8.9 in ip_src0-3 and port 23 is stored in
> th_sport in tcphdr. As I said, I might be a major airhead here but as I see
> it the contacting host is the source and  1.2.3.4 should end up in
> ip_src0-3. I could have bought this and just keept going if it wasn't for
> that it sometimes logs source-addresses as ip_src0-3.
> 
> If some host sends me an echo-request (ping), Snort will log the hosts
> ip-address as ip_src0-1 and my box as ip_dst0-3
> Two scenarios where traffic is sent to me but in one case Snort logs the
> source as ip_dst0-3 and in the other case as ip_src0-3.
> 
> Ok... Can it has to do with the fact that it's two different protocolls,
> TCP and ICMP?
> Nope. I got a SCAN-SYN FIN (port 111-111) followed by a RPC-query (111-894)
> and how did Snort log this then...?
> The host who did the scan was registred as ip_src0-3 and my box as
> ip_dst0-3 just the way I want it.
> 
> But both telnet- and ftp-connections are loged the oposit way.
> Why...?
> 
> /Johan
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list