[Snort-users] ICMP DB Issues

Joshua Berry jberry at ...11848...
Tue Jul 20 12:20:00 EDT 2004


DB Output configuration:

output database: alert, postgresql, user=<db_user_name>
password=<db_password> dbname=<db_name> host=<db_ip_addr>
sensor_name=<sensor_name> detail=full

-----Original Message-----
From: sekure [mailto:sekure at ...11827...] 
Sent: Tuesday, July 20, 2004 2:07 PM
To: Joshua Berry
Subject: Re: [Snort-users] ICMP DB Issues

Strange indeed...

According to the snort manual, you can configure the detail level for
the database output module to either "fast" or "full".  Obviously fast
logs less detail than full.  I don't know what it defaults to, so you
might want to check on that.

Post your output module line, maybe someone with more knowledge than
myself can find something wrong with it. Sorry I can't offer any more
suggestions, since I am not using snort's db output module, but like i
said, processing unified logs through barnyard works for me.

On Tue, 20 Jul 2004 13:45:33 -0500, Joshua Berry <jberry at ...12157...>
wrote:
> Yes, I am querying the icmphdr table and the icmp_seq and icmp_id
fields
> are empty (null).  Do you mean logging in alert or log mode?  You
cannot
> use -A full or -A fast for DB output.
> 
> 
> 
> -----Original Message-----
> From: sekure [mailto:sekure at ...11827...]
> Sent: Tuesday, July 20, 2004 1:44 PM
> To: Joshua Berry
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] ICMP DB Issues
> 
> Are you querying the icmphdr table?
> 
> Are you logging in full or fast mode?
> 
> On Tue, 20 Jul 2004 13:27:44 -0500, Joshua Berry <jberry at ...12157...>
> wrote:
> > It isn't the display, because I have coded my own PHP based SIM.  I
> did
> > a query for all ICMP ID's or Sequences that weren't NULL and came
back
> > with nothing.
> >
> > I am not using barnyard or mudpit or any other plugin, just the DB
> > output option from Snort and it seems to not insert this data.
> >
> >
> >
> > -----Original Message-----
> > From: sekure [mailto:sekure at ...11827...]
> > Sent: Tuesday, July 20, 2004 1:26 PM
> > To: Joshua Berry
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] ICMP DB Issues
> >
> > I am using barnyard to insert the unified logs into a remote
database,
> > and whereas i don't normally see those particular types of alerts,
> > other ICMP alerts have the following information: icmp_type,
> > icmp_code, icmp_csum, icmp_id, icmp_seq.
> >
> > Now whether or not they get displayed by your front end ( ACID,
> > OpenAanval) is a whole different story.
> >
> > On Tue, 20 Jul 2004 13:04:09 -0500, Joshua Berry <jberry at ...12157...>
> > wrote:
> > > I have had an issue for some time where I will get alerts such as
> > "DDOS
> > > - TFN client command LE" which revolves around the ICMP ID, ICMP
> > > Sequence, and Type.  However, the ICMP ID and Sequence is NEVER
> > entered
> > > into the database, just the Type and Code.  Has anyone else
noticed
> > > this?
> > >
> > > Josh Berry, CISSP & MCSE
> > > Information Security
> > > 214-765-1296
> > >
> > >
--------------------------------------------------------------------
> > > If you spend more on coffee than on IT security, you will be
hacked.
> > > What's more, you deserve to be hacked.
> > >     -- (Former) White House Cybersecurity adviser Richard Clarke
> > >
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by BEA Weblogic Workshop
> > > FREE Java Enterprise J2EE developer tools!
> > > Get your free copy of BEA WebLogic Workshop 8.1 today.
> > > http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
>




More information about the Snort-users mailing list