[Snort-users] Barnyard and ACID question
wozz+snort at ...471...
Mon Nov 5 13:30:07 EST 2001
I'm noticing some problems with barnyard and the mysql output plugin.
After some correlation, here's the real headers for the event (from the
barnyard log output plugin)
[**] [1:1002:1] WEB-IIS cmd.exe access [**]
[Classification: Attempted User Privilege Gain] [Priority: 8]
Event ID: 692 Event Reference: 0
11/03/01-11:34:37.020121 a.b.c.130:55776 -> x.y.z.64:80
TCP TTL:50 TOS:0x0 ID:37849 IpLen:20 DgmLen:208 DF
***AP*** Seq: 0x6CA76E65 Ack: 0x636CB06B Win: 0x2238 TcpLen: 32
For some reason, when using the mysql output plugin in barnyard, the source
port is being munged from the correct 55776 to 57561, and the destination
port from 80 to 20480. I've confirmed that this is the data that is being
inserted into mysql (as opposed to it being an ACID display problem).
This is consistant across all alerts being inserted into mysql (as far as I
Is this a known bug?
More information about the Snort-users