[Snort-users] Barnyard and ACID question

Andrew R. Baker andrewb at ...950...
Tue Nov 6 00:27:09 EST 2001


Wozz wrote:
> 
> I'm noticing some problems with barnyard and the mysql output plugin.
> After some correlation, here's the real headers for the event (from the
> barnyard log output plugin)
> 
> [**] [1:1002:1] WEB-IIS cmd.exe access [**]
> [Classification: Attempted User Privilege Gain] [Priority: 8]
> Event ID: 692     Event Reference: 0
> 11/03/01-11:34:37.020121 a.b.c.130:55776 -> x.y.z.64:80
> TCP TTL:50 TOS:0x0 ID:37849 IpLen:20 DgmLen:208 DF
> ***AP*** Seq: 0x6CA76E65  Ack: 0x636CB06B  Win: 0x2238  TcpLen: 32
> 
> For some reason, when using the mysql output plugin in barnyard, the source
> port is being munged from the correct 55776 to 57561, and the destination
> port from 80 to 20480.  I've confirmed that this is the data that is being
> inserted into mysql (as opposed to it being an ACID display problem).
> 
> This is consistant across all alerts being inserted into mysql (as far as I
> can tell)
> 
> Is this a known bug?


Which version (and build) of snort are you using?  Do you have a small
unified alert file you could send me for testing?  AFAIK, this should
not occur.  I will look into it tomorrow.

-A




More information about the Snort-users mailing list