[Snort-users] Snort logs different than the stuff I see in BASE.

Bruno G. San Alejo bgonzalez at ...14528...
Tue Mar 3 02:30:22 EST 2009


    Hello, I think I figured it out. I used the -b switch though snort
is in NIDS mode, and the packets logged make sense now.

    The ICMP redirect ones if logged through -b and shown in Wireshark
look right. They have the right MAC addresses and the gateway for the
redirecion is right. The problem is that BASE is not showing them right.
The MACs are wrong and the gateway is wrong. I'm going throught he code
trying to figure out where the info gets loaded into the DB since the
packets logged by Snort are right but the pcap format of the packets
saved by BASE are wrong (if I save the packet through BASE and show it
with Wireshark, the gateway is wrong). Also, I don't know why BASE is
not showing all the packets.

    So, Snort logs the packets right to a file, but my guess is that
there is something weird about how a packet is logged to the DB and how
BASE gets it. I don't know if Snort is not logging right into the DB or
BASE is not reading right. I'll go through the DB and check it to figure
it out.

    Also, I'm logging to a file with the log_tcpdump option and will
check it out as soon as I get the packets.

    Thanks.
   


Joel Esler wrote:
> Actually, I was just corrected:
>
> -b makes snort act like tcpdump entirely 
> log_tcpdump logs event packet information in a pcap format.
>
> I would use -b at the command line if I was using Snort in Sniffer
> mode.  log_tcpdump is more for the IDS/IPS portion of the engine.
>
> J
>
> On Fri, Feb 27, 2009 at 10:13 AM, Joel Esler <eslerj at ...11827...
> <mailto:eslerj at ...11827...>> wrote:
>
>     That's fine, let us know what you can.
>
>     Incidentally, -b and log_tcpdump are the same thing.
>
>     J
>
>
>     On Fri, Feb 27, 2009 at 10:09 AM, Bruno G. San Alejo
>     <bgonzalez at ...14528... <mailto:bgonzalez at ...14528...>> wrote:
>
>            Hi, I had already done something like that with the -b
>         option, but
>         since I'm a newbie with this stuff so I went into the
>         snort.conf and
>         commented out the DB output and uncommented the option for the
>         log_tcpdump option. I don't know if it will work differently.
>
>            In my time zone my job time ends in minutes and my parental
>         duties
>         take over, so I don't think I'll be sending anything new till
>         Monday
>         morning. :)
>
>            Thanks.
>
>
>
>
>
>
>
>         Joel Esler wrote:
>         > Try this, don't output to database.  Try having Snort just
>         output
>         > directly to pcap format, then we can try and figure out
>         where the
>         > problem may lie.
>         >
>         > J
>         >
>         > On Fri, Feb 27, 2009 at 7:35 AM, Bruno G. San Alejo
>         > <bgonzalez at ...14528... <mailto:bgonzalez at ...14528...>
>         <mailto:bgonzalez at ...14528... <mailto:bgonzalez at ...14528...>>> wrote:
>         >
>         >
>         >        Hello, I'm missing out something here because I have
>         produced some
>         >     log files from snort and when I check them out with
>         wireshark I cannot
>         >     find some alert packets that I see at BASE.
>         >
>         >        In detail, I see some ICMPs redirect messages in the
>         logs (through
>         >     wireshark, they are in tcpdump format), but BASE shows
>         just one. Also,
>         >     the mac addresses involved are not the same (I have just
>         one sensor),
>         >     though the IPs are. I know this because the packet saved
>         as pcap from
>         >     BASE and opened with Wireshark has plain wrong mac
>         addresses.
>         >
>         >        I thought that some packets could get lost due to
>         heavy load
>         >     (actually this is a live network, but I'm running snort non
>         >     promiscous).
>         >     But the discrepancies between what BASE shows me and
>         what snort logs
>         >     makes me believe I'm doing something wrong.
>         >
>         >        Thanks.
>         >
>         >    
>         ------------------------------------------------------------------------------
>         >     Open Source Business Conference (OSBC), March 24-25,
>         2009, San
>         >     Francisco, CA
>         >     -OSBC tackles the biggest issue in open source: Open
>         Sourcing the
>         >     Enterprise
>         >     -Strategies to boost innovation and cut costs with open
>         source
>         >     participation
>         >     -Receive a $600 discount off the registration fee with
>         the source
>         >     code: SFAD
>         >     http://p.sf.net/sfu/XcvMzF8H
>         >     _______________________________________________
>         >     Snort-users mailing list
>         >     Snort-users at lists.sourceforge.net
>         <mailto:Snort-users at lists.sourceforge.net>
>         >     <mailto:Snort-users at lists.sourceforge.net
>         <mailto:Snort-users at lists.sourceforge.net>>
>         >     Go to this URL to change user options or unsubscribe:
>         >     https://lists.sourceforge.net/lists/listinfo/snort-users
>         >     Snort-users
>         >    
>         <https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>
>         >     list archive:
>         >     http://www.geocrawler.com/redir-sf.php3?list=snort-users
>         >
>         >
>         >
>         >
>         > --
>         > Joel Esler
>         > T: 302-223-5974 (-) Gtalk: jesler at ...1935...
>         <mailto:jesler at ...1935...>
>         > <mailto:jesler at ...1935... <mailto:jesler at ...1935...>>
>         > [m]
>
>
>
>
>     -- 
>     Joel Esler
>     T: 302-223-5974 (-) Gtalk: jesler at ...1935...
>     <mailto:jesler at ...1935...>
>     [m]
>
>
>
>
> -- 
> Joel Esler
> T: 302-223-5974 (-) Gtalk: jesler at ...1935...
> <mailto:jesler at ...1935...>
> [m]





More information about the Snort-users mailing list