[Snort-users] Re: Missing events

sekure sekure at ...11827...
Fri Jul 2 05:26:08 EDT 2004


Just wanted to follow up and see if anyone had any ideas.

I ran two queries against my database, one to count all the events in
the "event" table, and one to count all the events in the "iphdr"
table. This illustrates that some events are missing. Theoretically
they should be the same since every event should at least have an IP
header.  If anyone out there is using barnyard, could you run the same
queries for me and post the results?

mysql> select sid, count(sid) from iphdr group by sid;
+-----+------------+
| sid | count(sid) |
+-----+------------+
|   1 |      20517 |
|   2 |      13843 |
|   3 |       9926 |
|   4 |       3459 |
|   5 |       3160 |
|   6 |      10098 |
+-----+------------+
6 rows in set (2.17 sec)

mysql> select sid, count(sid) from event group by sid;
+-----+------------+
| sid | count(sid) |
+-----+------------+
|   1 |      20526 |
|   2 |      13843 |
|   3 |       9962 |
|   4 |       3462 |
|   5 |       3173 |
|   6 |      10127 |
+-----+------------+
6 rows in set (1.86 sec)

Thanks,

On Wed, 30 Jun 2004 09:47:32 -0400, sekure <sekure at ...11827...> wrote:
> 
> I appologize in advance for cross-posting to both snort-users and
> barnyard-users lists. I am not really sure where the problem occurs,
> so i feel like both groups can contribute here.
> 
> First a little background:  I am running Snort 2.1.3, logging in
> unified format, using barnyard 0.2.0 to insert events into a remote
> database.
> 
> The issue:  I am using OpenAanval as a GUI to view the events and on
> the backend it uses it's own database and does some post processing
> with the snort database.  Just for the hell of it I decided to dump
> the count() of events in both tables and noticed that the snort
> "event" table had a few more events than OpenAanval.  I initally
> thought it was a problem with OpenAanval, but some research indicates
> otherwise.
> 
> Just to give the approximate scale of the problem I am missing about
> 100 events out of 50K total logged.
> 
> I identified the missing events, and went back to the snort database
> to look them up.  What I found is that even though an entry for an
> event exists in the "event" table, no entry exists for the event in
> either "iphdr", "tcphdr" or "data" tables.
> One example of this behavior: Snort logged 7 attempts at http
> directory traversal across 7 of my web servers.  7 rows are created in
> the "event" table, but only 5 in the iphdr, tcphdr and data tables.
> 
> I went further back, to the original sensor and dumped the contents of
> the pcap file snort outputs along with the unified log.  The pcap file
> contains all 7 events.  I then reconfigured barnyard to output the
> processed logs in pcap format and pointed it at the log in question.
> The created pcap also had 7 events, all identical to each other and to
> the original pcap written by snort with the exception of expected
> things like dest. IPs and Seq/Ack #s.  This indicates that Snort
> correctly writes the unified log file.
> 
> So, somewhere in the process of writing these events to the database
> barnyard loses some of the relevant information, and only inserts a
> portion of the event.
> 
> Has anyone experienced anything like this?  Any suggestions of things to try?
>




More information about the Snort-users mailing list