[Snort-users] Come hither payload--->>>Fixed

Gould, Scott sgould at ...11473...
Fri May 21 18:01:01 EDT 2004


My sensor table got whacked somehow.  The encoding field values were all NULL.  They needed to be set to 0,or 1, or 2 based upon type of encoding.  All fixed.

Just an FYI for anyone that may encounter the same problem.

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at ...3204...ts.sourceforge.net] On Behalf Of Gould, Scott
Sent: Friday, May 21, 2004 1:27 AM
To: Gould, Scott; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Come hither payload

One other note to add, queries via ACID against payload data return successfully, but still not showing any displayed payload data in the web page

I'm stumped

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at ...3204...ts.sourceforge.net] On Behalf Of Gould, Scott
Sent: Friday, May 21, 2004 1:17 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Come hither payload

OK, here's the deal:

RH EL 3 Update 1

Snort 2.1.2
	Using unified_log 
Acid (latest)
Barnyard 0.2
	Processing *.log.<stamp> files with no problems

Apache 2.0.49
PHP 4.3.3


Everything working like a champ except the payloads don't show up in
ACID.

Result of grep against ACID install directory for data_payload:

acid_action.inc:   $sql = "SELECT data_payload FROM data WHERE
sid='$sid' AND cid='$cid'";
acid_action.inc:      $sql = "INSERT INTO data (sid,cid, data_payload)
VALUES ".
acid_common.php:  $sql2 = "SELECT data_payload FROM data WHERE
sid='".$sid."' AND cid='".$cid."'";
acid_qry_alert.php:  $sql2 = "SELECT data_payload FROM data WHERE
sid='".$sid."' AND cid='".$cid."'";
acid_qry_common.php:         $tmp = $field[$i][0]." data_payload
".$field[$i][1]." '%".FormatPayload($field[$i][2], $data_encode).

So, the queries are in the ACID code.

I have confirmed the existence of the payload info in the mysqldb
existence via direct queries against the mysql db as the same user that
ACID uses to access the db, using mysql tols.  

There is no doubt that the Table "data" is populated with data in the
fields sid, cid, and data_payload

Data is flowing AOK from snort->unified log file->barnyard->mysqldb

Yet ACID doesn't show a payload for anything.


Any ideas?




-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149&alloc_id66&op=ick
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149&alloc_id66&op=ick
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users






More information about the Snort-users mailing list