[Snort-users] Barnyard and ACID question
Andrew R. Baker
andrewb at ...950...
Tue Nov 6 00:27:09 EST 2001
> I'm noticing some problems with barnyard and the mysql output plugin.
> After some correlation, here's the real headers for the event (from the
> barnyard log output plugin)
> [**] [1:1002:1] WEB-IIS cmd.exe access [**]
> [Classification: Attempted User Privilege Gain] [Priority: 8]
> Event ID: 692 Event Reference: 0
> 11/03/01-11:34:37.020121 a.b.c.130:55776 -> x.y.z.64:80
> TCP TTL:50 TOS:0x0 ID:37849 IpLen:20 DgmLen:208 DF
> ***AP*** Seq: 0x6CA76E65 Ack: 0x636CB06B Win: 0x2238 TcpLen: 32
> For some reason, when using the mysql output plugin in barnyard, the source
> port is being munged from the correct 55776 to 57561, and the destination
> port from 80 to 20480. I've confirmed that this is the data that is being
> inserted into mysql (as opposed to it being an ACID display problem).
> This is consistant across all alerts being inserted into mysql (as far as I
> can tell)
> Is this a known bug?
Which version (and build) of snort are you using? Do you have a small
unified alert file you could send me for testing? AFAIK, this should
not occur. I will look into it tomorrow.
More information about the Snort-users