[Snort-users] Barnyard and ACID question

Wozz wozz+snort at ...471...
Mon Nov 5 13:30:07 EST 2001


I'm noticing some problems with barnyard and the mysql output plugin.  
After some correlation, here's the real headers for the event (from the
barnyard log output plugin)


[**] [1:1002:1] WEB-IIS cmd.exe access [**]
[Classification: Attempted User Privilege Gain] [Priority: 8]
Event ID: 692     Event Reference: 0
11/03/01-11:34:37.020121 a.b.c.130:55776 -> x.y.z.64:80
TCP TTL:50 TOS:0x0 ID:37849 IpLen:20 DgmLen:208 DF
***AP*** Seq: 0x6CA76E65  Ack: 0x636CB06B  Win: 0x2238  TcpLen: 32

For some reason, when using the mysql output plugin in barnyard, the source
port is being munged from the correct 55776 to 57561, and the destination
port from 80 to 20480.  I've confirmed that this is the data that is being
inserted into mysql (as opposed to it being an ACID display problem).

This is consistant across all alerts being inserted into mysql (as far as I
can tell)

Is this a known bug?




More information about the Snort-users mailing list