[Snort-users] snortdb-extra

Hutchinson, Andrew Andrew.Hutchinson at ...3639...
Thu Apr 10 06:23:08 EDT 2003


The snortdb-extra tables are lookup tables.
 
Snort stores information pertaining to things like tcp flags, in a
numeric format.  For instance, here's some info from the iphdr table
pertaining to the ip protocol:
 
snort191=# select ip_proto from iphdr limit 10;
 ip_proto 
----------
        6
        6
        6
        6
        1
        1
        1
        1
        1
        1
(10 rows)

Doesn't tell you much, unless you know the assigned ip protocol numbers.
However, you can look up the protocols in the 'protocols' table:
 
snort191=# select * from protocols where protocol in ('1','6');
 protocol | name | description  
----------+------+--------------
        1 | ICMP | Internet
        6 | TCP  | Transmission
(2 rows)

Now you can map '1' to icmp, and '6' to tcp.  Handy.
 
 
Here's another example from the tcphdr table, looking at tcp_flags:
 
snort191=# select tcp_flags from tcphdr limit 10;
 tcp_flags 
-----------
        24
        24
        24
        24
        16
        16
        16
        16
        16
        16
(10 rows)

 
Doesn't tell you much, unless you can keep the tcp flag order straight
in your head.  But if you query the flags table...
 
snort191=# select * from flags where number in ('24','16');
 number | res1 | res2 | urg | ack | psh | rst | syn | fin | valid |
description                  
--------+------+------+-----+-----+-----+-----+-----+-----+-------+-----
------------------------------------------
     16 |    0 |    0 |   0 |   0 |   1 |   0 |   0 |   0 |     0 | PSH:
Standard/Invalid
     24 |    0 |    0 |   0 |   1 |   1 |   0 |   0 |   0 |     1 |
ACK|PSH: Acknowlegement with a push on packet
(2 rows)

 
You can see that a flag value of 16 means that the PSH bit is set, and a
24 means an ACK/PSH.
 
This also applies to the services table.  You can lookup what based on
the protocol and the port.  If you have an alert that uses tcp/80, you
can look up that that's http.  And so on.
 
As far as ACID is concerned, I unfortunately can't answer your question
- I don't use ACID.  However, I would imagine that if ACID gives you
protocol, tcp flag, or ip protocol breakdowns, then it's looking this
information up in these tables.
 
Hope that this helps,
 
Andrew
 

Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856 

	-----Original Message-----
	From: Paulo Gomes [mailto:vgomespt at ...131...] 
	Sent: Thursday, April 10, 2003 7:20 AM
	To: snort-users at lists.sourceforge.net
	Subject: [Snort-users] snortdb-extra
	
	

	Hi,

	I'm running snort 1.9.0 with ACID v0.9.6b23.

	Everything seems OK when logging to the database.

	I've added to the Mysql snort DB the snortdb-extra tables by
executing the procedure found in the doc.

	My question is , how can I use the tables protocols and services
with ACID ?

	Is there any relation between thsi tables and the standard snort
and ACID tables ?

	My snort DB schema is 106.

	The tables created by snortdb-extra are used when and how ?

	Regards and thanks in advance.

	Viana Gomes

	 

	
	
  _____  

	Do you Yahoo!?
	Yahoo! Tax Center
<http://us.rd.yahoo.com/finance/mailsig/*http://tax.yahoo.com>  - File
online, calculators, forms, and more

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030410/72319ed5/attachment.html>


More information about the Snort-users mailing list