[Snort-users] Snort DB Logging Problem

Jeff Dell jdell at ...1095...
Mon Aug 16 08:46:01 EDT 2004


Bill,

I had a few students that had the same problem... 

The problem:
 SANS cleans the data, breaking the checksums and Snort doesn't like this.
Therefore it discards the packets.
The fix: 
 Disable checking for the checksum by Add "-k none" to your command line.

Cheers,
Jeff
 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Bill Gercken
Sent: Sunday, August 15, 2004 1:35 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort DB Logging Problem

Hi,
I am trying to use snort to load some of the SANS
libpcap files into an acid database using snort and
the database output plugin. My configuration file
is as follows:

# conf file to log to the database.
#
output database: log, mysql, user=suser password=pass \ dbname=snort 
host=localhost detail=full sensor_name=blah

log tcp any any <> any any (msg:"tcp any";)
log udp any any <> any any (msg:"udp any";)
log icmp any any <> any any (msg:"icmp any";)

from the command line i use:

snort -c db-log.conf -r 2003.12.15.1


When I run the command against a big-endian file it process
the data fine and provides the following output:

<snip>
Snort processed 36562 packets.
=========================================================
Breakdown by protocol:
     TCP: 32906      (90.001%)
     UDP: 141        (0.386%)
    ICMP: 2587       (7.076%)
     ARP: 118        (0.323%)
   EAPOL: 0          (0.000%)
    IPv6: 0          (0.000%)
     IPX: 0          (0.000%)
   OTHER: 730        (1.997%)
DISCARD: 80         (0.219%)
=========================================================
Action Stats:
ALERTS: 80
LOGGED: 33729
PASSED: 0
</snip>

file command output:
2003.12.15.1: tcpdump capture file (big-endian) - version 2.4 
(Ethernet, capture length 96)


but when I run against any of the SANS little-endian files, nothing is 
logged:

snort -c db-log.conf -r 2002.9.9

output:
Snort processed 1051 packets.
=========================================================
Breakdown by protocol:
     TCP: 1051       (100.000%)
     UDP: 0          (0.000%)
    ICMP: 0          (0.000%)
     ARP: 0          (0.000%)
   EAPOL: 0          (0.000%)
    IPv6: 0          (0.000%)
     IPX: 0          (0.000%)
   OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
=========================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0

file command output:

2002.9.9: tcpdump capture file (little-endian) - version 2.4 (Ethernet, 
capture length 1514)

I can load little-endian files that I have captured locally, so
it appears to be isolated to the SANS files.

I have tried this with snort 2.3 and snort 2.20.
Has any one seen this problem. Am I missing something?

Thanks and Regards,
-bill



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list