[Snort-users] Corrupted Payloads in MySQL DB?

Nick Lange nlange at ...7067...
Thu Oct 3 08:38:02 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
   I was just digging through the FAQ looking for this and could not find it, so 
here we go...
  we have two sensors on our network, one listening on a one-way only interface 
and the other between our lan router and firewall. I've just now started looking 
at the Data (wasn't my job before) that has been collected for some time and 
noticed that some of the payloads are quite corrupted. Since the data captured 
is fairly useless, I'm going to be upgrading snort and moving the corrupted data 
to it's own little directory for "special" databases, replacing it w/ a fresh 
db; however, I'm asking this question now in the hopes that I don't run into the 
same situation again.

If anyone has anyideas, I'd love to hear them.
Cheers,
nick

Sensor 1&2:

- -*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch at ...1935..., www.snort.org)

echo "select * from data where sid=3 and cid=1393;" | ./mysql -u root -p snort | 
perl -e '<STDIN>; $_ =<STDIN>;split(/\s+/); $_ = pop(@_); my @d = $_=~/(..)/g; 
foreach (@d){ print chr(hex($_));} print "\n"'

returns....

GET /stocks/detailquote.php?ticker=BSYS HTTP/1.1
User-Agent: InetURL/1.0
Host: www.pcquote.com
Cache-Control: no-cache
///???? Packets get mixed up here, below here is from a different site.
ection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

547
<HTML><TITLE>The Current Queue Status as of Thu Oct  3 01:33:27 
2002</TITLE><META HTTP-EQUIV=Refresh CONTENT="10;"><LINK REL=StyleSheet 
HREF="/~nlange/uranium.css" MEDIA=all>The Queue status as of Thu Oct  3 01:33:27 
2002 is<BR>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6-2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAj2cZB4ACgkQnGOSY0xqzuN8hQCfb+w0/ljryi+QyMOgsliPijhX
ODUAoI0T8D56HwUTtO0nElQimqeXGFxl
=PjBo
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list