[Snort-users] Barnyard and ACID question

Steve Halligan agent33 at ...187...
Tue Nov 6 10:24:03 EST 2001


I am having this problem also.  OpenBSD 2.9-release here.  Barnyard from CVS
today.  snort-unified-logfile is attached.
I also noticed that sometimes (although not in this logfile, I believe)  the
ordering of the source ip address backwards also a.b.c.d becomes d.c.b.a.
The dest ip is unaffected.
-steve

> -----Original Message-----
> From: Andrew R. Baker [mailto:andrewb at ...950...]
> Sent: Monday, November 05, 2001 11:44 PM
> To: Wozz
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Barnyard and ACID question
> 
> 
> Wozz wrote:
> > 
> > I'm noticing some problems with barnyard and the mysql 
> output plugin.
> > After some correlation, here's the real headers for the 
> event (from the
> > barnyard log output plugin)
> > 
> > [**] [1:1002:1] WEB-IIS cmd.exe access [**]
> > [Classification: Attempted User Privilege Gain] [Priority: 8]
> > Event ID: 692     Event Reference: 0
> > 11/03/01-11:34:37.020121 a.b.c.130:55776 -> x.y.z.64:80
> > TCP TTL:50 TOS:0x0 ID:37849 IpLen:20 DgmLen:208 DF
> > ***AP*** Seq: 0x6CA76E65  Ack: 0x636CB06B  Win: 0x2238  TcpLen: 32
> > 
> > For some reason, when using the mysql output plugin in 
> barnyard, the source
> > port is being munged from the correct 55776 to 57561, and 
> the destination
> > port from 80 to 20480.  I've confirmed that this is the 
> data that is being
> > inserted into mysql (as opposed to it being an ACID display 
> problem).
> > 
> > This is consistant across all alerts being inserted into 
> mysql (as far as I
> > can tell)
> > 
> > Is this a known bug?
> 
> 
> Which version (and build) of snort are you using?  Do you have a small
> unified alert file you could send me for testing?  AFAIK, this should
> not occur.  I will look into it tomorrow.
> 
> -A
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.log.1005036190
Type: application/octet-stream
Size: 100946 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011106/534eb28e/attachment.obj>


More information about the Snort-users mailing list