[Snort-users] Discrepency between Base and linked packet

Joel Esler eslerj at ...11827...
Tue Mar 24 11:41:29 EDT 2009


I guess we'll need to write some new guides!
J

On Tue, Mar 24, 2009 at 9:25 AM, Bruno G. San Alejo <bgonzalez at ...14528...>wrote:

>    OK, my fault then, I just run Snort and Base. Snort is configured
> with MySql support and Base just goes into the DB. Sorry, I just
> installed them a couple of months ago and followed the "Managing
> Security with Snort and IDS tools" book and the typical "how-to" web
> pages. I guess I need to do more homework. :)
>
>    Then, given that Snort logs right the packets and that a external
> tool gets the log file and puts it into the DB (I had and have no idea
> about this, I won't BS you), the DB schema is not quite right anyway. It
> has two fields (id and seq#) for ALL ICMP types. Particularly for ICMP
> redirects, the gateway's IP is not represented anywhere in the DB schema.
>
>    So, if I'm not wrong the root issue of this thread gets solved: use
> an external tool to pass the Snort logs into the DB (as a matter of fact
> the first thing I'll start doing as soon as I send this email). But for
> everything to be peachy there is still the little issue of some
> discrepancies between some ICMP types and what data is in the DB schema
> representing them. I just don't see how even with an external tool,
> some data of  ICMP packets can be logged into the DB if the schema just
> doesn't have those fields.
>
>    Thanks.
>
>
>
>
>
> Joel Esler wrote:
> > We'll need to know more about the setup.  BASE simply reads what is in
> > the DB.  If it's a parsing issue with BASE, reading out of the DB,
> > then Kevin can speak to that, however, if the problem lies in the data
> > that is actually in the DB, then I have to ask how it is getting in
> > there.
> >
> > Generally Accepted Best Practice is to have Snort log in "unified"
> > mode, and have an external tool like barnyard or SnortUnified.pm read
> > the Unified files and put them into the DB.
> >
> > How is your setup configured?  (Writing from Snort directly to the DB
> > is never recommended.)
> >
> > Joel
> >
> > On Tue, Mar 24, 2009 at 8:44 AM, Bruno G. San Alejo
> > <bgonzalez at ...14528... <mailto:bgonzalez at ...14528...>> wrote:
> >
> >        Hi everyone, I posted like 4 weeks ago something about some
> >     problems
> >     with what Snort logs, what Base shows, and what Base saves as pcap
> >     file.
> >     Maybe that is what you are talking about?
> >
> >        What I saw was that the packet logged with Snort was the right
> one.
> >     The packet logged to the DB had some issues. These could be seen in:
> >
> >        -what Base shows, for ICMP redirect packets (that was what I was
> >     focusing on) the id and the seq# were being logged instead of the
> >     gateway's IP, I submitted a temporary fix that takes care of it
> >     and I'm
> >     currently testing a fix for Snort and Base that will definitely take
> >     care of this if they are approved. The problem was the way that the
> >     packet was being parsed and the schema at the DB, which had fields
> >     that
> >     are not present in all the types of ICMP, but that are non null.
> >
> >        -what Base saves in pcap, wrong MAC addresses and shorter
> >     timestamps. As you say, discrepancies at the Network, Transport, and
> >     Data layers. I have not look into this as I am working in the other
> >     issue, but if no one comments on this one, I'll dive into the code
> >     shortly.
> >
> >        Thanks.
> >
> >     Matthew Babcock wrote:
> >     > Hello all,
> >     >
> >     > A short time back I noticed someone was talking about an issue
> >     where the
> >     > packet downloaded via base had different headers then shown between
> >     > wireshark and base.
> >     >
> >     > The top layers are represented the same in Base and the .pcap.
> >     However the
> >     > bottom layers are not correct. The data in the Data Link and
> Network
> >     > layers is just wrong, the Transport layer also cites bad TCP
> >     Checksums.
> >     > Thanks in advance.
> >     >
> >     > What was the reason and fix?
> >     >
> >     > Also, is the mailing list archived somewhere?
> >     >
> >     >
> >     > Regards,
> >     > -- Matthew R. Babcock
> >     > CEO, Principal Consultant
> >     > A & R Technology Consulting - Providing solutions, not limitations
> -
> >     > MBabcock at ...14532...
> >     > (508) 397-8280
> >     >
> >     >
> >     >
> >     >
> >     >
> >
> ------------------------------------------------------------------------------
> >     > Apps built with the Adobe(R) Flex(R) framework and Flex
> >     Builder(TM) are
> >     > powering Web 2.0 with engaging, cross-platform capabilities.
> >     Quickly and
> >     > easily build your RIAs with Flex Builder, the Eclipse(TM)based
> >     development
> >     > software that enables intelligent coding and step-through
> debugging.
> >     > Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> >     > _______________________________________________
> >     > Snort-users mailing list
> >     > Snort-users at lists.sourceforge.net
> >     <mailto:Snort-users at lists.sourceforge.net>
> >     > Go to this URL to change user options or unsubscribe:
> >     > https://lists.sourceforge.net/lists/listinfo/snort-users
> >     > Snort-users list archive:
> >     > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >     >
> >     >
> >
> >
> >
> ------------------------------------------------------------------------------
> >     Apps built with the Adobe(R) Flex(R) framework and Flex
> >     Builder(TM) are
> >     powering Web 2.0 with engaging, cross-platform capabilities.
> >     Quickly and
> >     easily build your RIAs with Flex Builder, the Eclipse(TM)based
> >     development
> >     software that enables intelligent coding and step-through debugging.
> >     Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> >     _______________________________________________
> >     Snort-users mailing list
> >     Snort-users at lists.sourceforge.net
> >     <mailto:Snort-users at lists.sourceforge.net>
> >     Go to this URL to change user options or unsubscribe:
> >     https://lists.sourceforge.net/lists/listinfo/snort-users
> >     Snort-users
> >     <
> https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>
> >     list archive:
> >     http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> > --
> > Joel Esler
> > T: 302-223-5974 (-) Gtalk: jesler at ...1935...
> > <mailto:jesler at ...1935...>
> > [m]
>
>


-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at ...1935...
[m]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090324/02527426/attachment.html>


More information about the Snort-users mailing list