[Snort-users] Snort DB Logging Problem

Jeff Dell jdell at ...1095...
Mon Aug 16 08:46:01 EDT 2004


I had a few students that had the same problem... 

The problem:
 SANS cleans the data, breaking the checksums and Snort doesn't like this.
Therefore it discards the packets.
The fix: 
 Disable checking for the checksum by Add "-k none" to your command line.


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Bill Gercken
Sent: Sunday, August 15, 2004 1:35 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort DB Logging Problem

I am trying to use snort to load some of the SANS
libpcap files into an acid database using snort and
the database output plugin. My configuration file
is as follows:

# conf file to log to the database.
output database: log, mysql, user=suser password=pass \ dbname=snort 
host=localhost detail=full sensor_name=blah

log tcp any any <> any any (msg:"tcp any";)
log udp any any <> any any (msg:"udp any";)
log icmp any any <> any any (msg:"icmp any";)

from the command line i use:

snort -c db-log.conf -r 2003.12.15.1

When I run the command against a big-endian file it process
the data fine and provides the following output:

Snort processed 36562 packets.
Breakdown by protocol:
     TCP: 32906      (90.001%)
     UDP: 141        (0.386%)
    ICMP: 2587       (7.076%)
     ARP: 118        (0.323%)
   EAPOL: 0          (0.000%)
    IPv6: 0          (0.000%)
     IPX: 0          (0.000%)
   OTHER: 730        (1.997%)
DISCARD: 80         (0.219%)
Action Stats:
LOGGED: 33729

file command output:
2003.12.15.1: tcpdump capture file (big-endian) - version 2.4 
(Ethernet, capture length 96)

but when I run against any of the SANS little-endian files, nothing is 

snort -c db-log.conf -r 2002.9.9

Snort processed 1051 packets.
Breakdown by protocol:
     TCP: 1051       (100.000%)
     UDP: 0          (0.000%)
    ICMP: 0          (0.000%)
     ARP: 0          (0.000%)
   EAPOL: 0          (0.000%)
    IPv6: 0          (0.000%)
     IPX: 0          (0.000%)
   OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
Action Stats:

file command output:

2002.9.9: tcpdump capture file (little-endian) - version 2.4 (Ethernet, 
capture length 1514)

I can load little-endian files that I have captured locally, so
it appears to be isolated to the SANS files.

I have tried this with snort 2.3 and snort 2.20.
Has any one seen this problem. Am I missing something?

Thanks and Regards,

SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list