[Snort-users] Barnyard and ACID question
Steve Halligan
agent33 at ...187...
Tue Nov 6 11:54:02 EST 2001
One more piece of wierdness: Barnyard popped up a few "Unknown Network
Header (0x0)" and inserted an alert with only a sig, no ip info, tcp info,
etc.
> -----Original Message-----
> From: Steve Halligan [mailto:agent33 at ...187...]
> Sent: Tuesday, November 06, 2001 12:29 PM
> To: 'Andrew R. Baker'; 'Wozz'
> Cc: 'snort-users at lists.sourceforge.net'
> Subject: RE: [Snort-users] Barnyard and ACID question
>
>
> PS: The timestamps appear to be set to UTC. Both the
> snort/barnyard box
> and the database box are set to the correct time and timezone, but
> timestamps logged in the database are +6 hours (which would
> be utc from
> where I am). Not a bug, but is there anyway to change this behaviour?
>
> > -----Original Message-----
> > From: Steve Halligan
> > Sent: Tuesday, November 06, 2001 12:23 PM
> > To: 'Andrew R. Baker'; Wozz
> > Cc: snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] Barnyard and ACID question
> >
> >
> > I am having this problem also. OpenBSD 2.9-release here.
> > Barnyard from CVS today. snort-unified-logfile is attached.
> > I also noticed that sometimes (although not in this logfile,
> > I believe) the ordering of the source ip address backwards
> > also a.b.c.d becomes d.c.b.a. The dest ip is unaffected.
> > -steve
> >
> > > -----Original Message-----
> > > From: Andrew R. Baker [mailto:andrewb at ...950...]
> > > Sent: Monday, November 05, 2001 11:44 PM
> > > To: Wozz
> > > Cc: snort-users at lists.sourceforge.net
> > > Subject: Re: [Snort-users] Barnyard and ACID question
> > >
> > >
> > > Wozz wrote:
> > > >
> > > > I'm noticing some problems with barnyard and the mysql
> > > output plugin.
> > > > After some correlation, here's the real headers for the
> > > event (from the
> > > > barnyard log output plugin)
> > > >
> > > > [**] [1:1002:1] WEB-IIS cmd.exe access [**]
> > > > [Classification: Attempted User Privilege Gain] [Priority: 8]
> > > > Event ID: 692 Event Reference: 0
> > > > 11/03/01-11:34:37.020121 a.b.c.130:55776 -> x.y.z.64:80
> > > > TCP TTL:50 TOS:0x0 ID:37849 IpLen:20 DgmLen:208 DF
> > > > ***AP*** Seq: 0x6CA76E65 Ack: 0x636CB06B Win: 0x2238
> TcpLen: 32
> > > >
> > > > For some reason, when using the mysql output plugin in
> > > barnyard, the source
> > > > port is being munged from the correct 55776 to 57561, and
> > > the destination
> > > > port from 80 to 20480. I've confirmed that this is the
> > > data that is being
> > > > inserted into mysql (as opposed to it being an ACID display
> > > problem).
> > > >
> > > > This is consistant across all alerts being inserted into
> > > mysql (as far as I
> > > > can tell)
> > > >
> > > > Is this a known bug?
> > >
> > >
> > > Which version (and build) of snort are you using? Do you
> > have a small
> > > unified alert file you could send me for testing? AFAIK,
> > this should
> > > not occur. I will look into it tomorrow.
> > >
> > > -A
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
More information about the Snort-users
mailing list