[Snort-users] Barnyard and ACID question
agent33 at ...187...
Tue Nov 6 10:24:03 EST 2001
I am having this problem also. OpenBSD 2.9-release here. Barnyard from CVS
today. snort-unified-logfile is attached.
I also noticed that sometimes (although not in this logfile, I believe) the
ordering of the source ip address backwards also a.b.c.d becomes d.c.b.a.
The dest ip is unaffected.
> -----Original Message-----
> From: Andrew R. Baker [mailto:andrewb at ...950...]
> Sent: Monday, November 05, 2001 11:44 PM
> To: Wozz
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Barnyard and ACID question
> Wozz wrote:
> > I'm noticing some problems with barnyard and the mysql
> output plugin.
> > After some correlation, here's the real headers for the
> event (from the
> > barnyard log output plugin)
> > [**] [1:1002:1] WEB-IIS cmd.exe access [**]
> > [Classification: Attempted User Privilege Gain] [Priority: 8]
> > Event ID: 692 Event Reference: 0
> > 11/03/01-11:34:37.020121 a.b.c.130:55776 -> x.y.z.64:80
> > TCP TTL:50 TOS:0x0 ID:37849 IpLen:20 DgmLen:208 DF
> > ***AP*** Seq: 0x6CA76E65 Ack: 0x636CB06B Win: 0x2238 TcpLen: 32
> > For some reason, when using the mysql output plugin in
> barnyard, the source
> > port is being munged from the correct 55776 to 57561, and
> the destination
> > port from 80 to 20480. I've confirmed that this is the
> data that is being
> > inserted into mysql (as opposed to it being an ACID display
> > This is consistant across all alerts being inserted into
> mysql (as far as I
> > can tell)
> > Is this a known bug?
> Which version (and build) of snort are you using? Do you have a small
> unified alert file you could send me for testing? AFAIK, this should
> not occur. I will look into it tomorrow.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 100946 bytes
Desc: not available
More information about the Snort-users