[Snort-users] ICMP DB Issues

sekure sekure at ...11827...
Tue Jul 20 11:44:07 EDT 2004


Are you querying the icmphdr table?

Are you logging in full or fast mode?

On Tue, 20 Jul 2004 13:27:44 -0500, Joshua Berry <jberry at ...12157...> wrote:
> It isn't the display, because I have coded my own PHP based SIM.  I did
> a query for all ICMP ID's or Sequences that weren't NULL and came back
> with nothing.
> 
> I am not using barnyard or mudpit or any other plugin, just the DB
> output option from Snort and it seems to not insert this data.
> 
> 
> 
> -----Original Message-----
> From: sekure [mailto:sekure at ...11827...]
> Sent: Tuesday, July 20, 2004 1:26 PM
> To: Joshua Berry
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] ICMP DB Issues
> 
> I am using barnyard to insert the unified logs into a remote database,
> and whereas i don't normally see those particular types of alerts,
> other ICMP alerts have the following information: icmp_type,
> icmp_code, icmp_csum, icmp_id, icmp_seq.
> 
> Now whether or not they get displayed by your front end ( ACID,
> OpenAanval) is a whole different story.
> 
> On Tue, 20 Jul 2004 13:04:09 -0500, Joshua Berry <jberry at ...12157...>
> wrote:
> > I have had an issue for some time where I will get alerts such as
> "DDOS
> > - TFN client command LE" which revolves around the ICMP ID, ICMP
> > Sequence, and Type.  However, the ICMP ID and Sequence is NEVER
> entered
> > into the database, just the Type and Code.  Has anyone else noticed
> > this?
> >
> > Josh Berry, CISSP & MCSE
> > Information Security
> > 214-765-1296
> >
> > --------------------------------------------------------------------
> > If you spend more on coffee than on IT security, you will be hacked.
> > What's more, you deserve to be hacked.
> >     -- (Former) White House Cybersecurity adviser Richard Clarke
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by BEA Weblogic Workshop
> > FREE Java Enterprise J2EE developer tools!
> > Get your free copy of BEA WebLogic Workshop 8.1 today.
> > http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>




More information about the Snort-users mailing list