[Snort-users] Barnyard and ACID question

Steve Halligan agent33 at ...187...
Tue Nov 6 11:54:02 EST 2001


One more piece of wierdness:  Barnyard popped up a few "Unknown Network
Header (0x0)" and inserted an alert with only a sig, no ip info, tcp info,
etc.



> -----Original Message-----
> From: Steve Halligan [mailto:agent33 at ...187...]
> Sent: Tuesday, November 06, 2001 12:29 PM
> To: 'Andrew R. Baker'; 'Wozz'
> Cc: 'snort-users at lists.sourceforge.net'
> Subject: RE: [Snort-users] Barnyard and ACID question
> 
> 
> PS:  The timestamps appear to be set to UTC.  Both the 
> snort/barnyard box
> and the database box are set to the correct time and timezone, but
> timestamps logged in the database are +6 hours (which would 
> be utc from
> where I am).  Not a bug, but is there anyway to change this behaviour?
> 
> > -----Original Message-----
> > From: Steve Halligan 
> > Sent: Tuesday, November 06, 2001 12:23 PM
> > To: 'Andrew R. Baker'; Wozz
> > Cc: snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] Barnyard and ACID question
> > 
> > 
> > I am having this problem also.  OpenBSD 2.9-release here.  
> > Barnyard from CVS today.  snort-unified-logfile is attached.
> > I also noticed that sometimes (although not in this logfile, 
> > I believe)  the ordering of the source ip address backwards 
> > also a.b.c.d becomes d.c.b.a.  The dest ip is unaffected.
> > -steve
> > 
> > > -----Original Message-----
> > > From: Andrew R. Baker [mailto:andrewb at ...950...]
> > > Sent: Monday, November 05, 2001 11:44 PM
> > > To: Wozz
> > > Cc: snort-users at lists.sourceforge.net
> > > Subject: Re: [Snort-users] Barnyard and ACID question
> > > 
> > > 
> > > Wozz wrote:
> > > > 
> > > > I'm noticing some problems with barnyard and the mysql 
> > > output plugin.
> > > > After some correlation, here's the real headers for the 
> > > event (from the
> > > > barnyard log output plugin)
> > > > 
> > > > [**] [1:1002:1] WEB-IIS cmd.exe access [**]
> > > > [Classification: Attempted User Privilege Gain] [Priority: 8]
> > > > Event ID: 692     Event Reference: 0
> > > > 11/03/01-11:34:37.020121 a.b.c.130:55776 -> x.y.z.64:80
> > > > TCP TTL:50 TOS:0x0 ID:37849 IpLen:20 DgmLen:208 DF
> > > > ***AP*** Seq: 0x6CA76E65  Ack: 0x636CB06B  Win: 0x2238  
> TcpLen: 32
> > > > 
> > > > For some reason, when using the mysql output plugin in 
> > > barnyard, the source
> > > > port is being munged from the correct 55776 to 57561, and 
> > > the destination
> > > > port from 80 to 20480.  I've confirmed that this is the 
> > > data that is being
> > > > inserted into mysql (as opposed to it being an ACID display 
> > > problem).
> > > > 
> > > > This is consistant across all alerts being inserted into 
> > > mysql (as far as I
> > > > can tell)
> > > > 
> > > > Is this a known bug?
> > > 
> > > 
> > > Which version (and build) of snort are you using?  Do you 
> > have a small
> > > unified alert file you could send me for testing?  AFAIK, 
> > this should
> > > not occur.  I will look into it tomorrow.
> > > 
> > > -A
> > > 
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > 
> > 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list