[Snort-users] Discrepency between Base and linked packet

Joel Esler eslerj at ...11827...
Tue Mar 24 11:43:15 EDT 2009


If you have Checksums wrong on the network, you  might want to look at why.
 That's an issue.
By the way, you should define your settings as much as possible in your
snort.conf file (like your HOME_NET..etc..) to keep your command line short
and simple.

J

On Tue, Mar 24, 2009 at 10:28 AM, Matthew Babcock <MBabcock at ...14533...>wrote:

> Hello,
>
> So I combed through a few sets of data. Here is a compilation of what I
> found..
>
> All snort sensors work free of error, same for mysql and apache. The data
> displayed in base is correct. Note that Base does not display the Data
> link headers. When downloading and reviewing logged packets I noticed that
> all of the data link layer info was wrong however the rest was fine (this
> is true for all of my sensors). The Snort config is uniform across all
> sensors.
>
> In the case I noted below, the sensor location is different that being on
> a Host OS processing traffic from/to/between the guest OSes. That one is
> the packet that was blatantly wrong, and again the TCP Checksum failed
> (maybe the reason???)
>
> invocation
> --
> snort -m 027 -D -d -l /var/log/snort -u fakeuser -g fakegroup -I -k none
> -c /etc/snort/snort.conf -S HOME_NET=[defined] -i eth0
> --
>
> Fortunately, the box cited above is mostly development so I will check
> into using something like barnyard when I get some time. I will reply with
> some results.
>
>
> Regards,
> -- Matthew R. Babcock
> CEO, Principal Consultant
> A & R Technology Consulting - Providing solutions, not limitations -
> MBabcock at ...14532...
> (508) 397-8280
>
> > We'll need to know more about the setup.  BASE simply reads what is in
> the
> > DB.  If it's a parsing issue with BASE, reading out of the DB, then Kevin
> > can speak to that, however, if the problem lies in the data that is
> > actually
> > in the DB, then I have to ask how it is getting in there.
> > Generally Accepted Best Practice is to have Snort log in "unified" mode,
> > and
> > have an external tool like barnyard or SnortUnified.pm read the Unified
> > files and put them into the DB.
> >
> > How is your setup configured?  (Writing from Snort directly to the DB is
> > never recommended.)
> >
> > Joel
> >
> > On Tue, Mar 24, 2009 at 8:44 AM, Bruno G. San Alejo
> > <bgonzalez at ...14528...>wrote:
> >
> >>    Hi everyone, I posted like 4 weeks ago something about some problems
> >> with what Snort logs, what Base shows, and what Base saves as pcap file.
> >> Maybe that is what you are talking about?
> >>
> >>    What I saw was that the packet logged with Snort was the right one.
> >> The packet logged to the DB had some issues. These could be seen in:
> >>
> >>    -what Base shows, for ICMP redirect packets (that was what I was
> >> focusing on) the id and the seq# were being logged instead of the
> >> gateway's IP, I submitted a temporary fix that takes care of it and I'm
> >> currently testing a fix for Snort and Base that will definitely take
> >> care of this if they are approved. The problem was the way that the
> >> packet was being parsed and the schema at the DB, which had fields that
> >> are not present in all the types of ICMP, but that are non null.
> >>
> >>    -what Base saves in pcap, wrong MAC addresses and shorter
> >> timestamps. As you say, discrepancies at the Network, Transport, and
> >> Data layers. I have not look into this as I am working in the other
> >> issue, but if no one comments on this one, I'll dive into the code
> >> shortly.
> >>
> >>    Thanks.
> >>
> >> Matthew Babcock wrote:
> >> > Hello all,
> >> >
> >> > A short time back I noticed someone was talking about an issue where
> >> the
> >> > packet downloaded via base had different headers then shown between
> >> > wireshark and base.
> >> >
> >> > The top layers are represented the same in Base and the .pcap. However
> >> the
> >> > bottom layers are not correct. The data in the Data Link and Network
> >> > layers is just wrong, the Transport layer also cites bad TCP
> >> Checksums.
> >> > Thanks in advance.
> >> >
> >> > What was the reason and fix?
> >> >
> >> > Also, is the mailing list archived somewhere?
> >> >
> >> >
> >> > Regards,
> >> > -- Matthew R. Babcock
> >> > CEO, Principal Consultant
> >> > A & R Technology Consulting - Providing solutions, not limitations -
> >> > MBabcock at ...14532...
> >> > (508) 397-8280
> >> >
> >> >
> >> >
> >> >
> >> >
> >>
> ------------------------------------------------------------------------------
> >> > Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM)
> >> are
> >> > powering Web 2.0 with engaging, cross-platform capabilities. Quickly
> >> and
> >> > easily build your RIAs with Flex Builder, the Eclipse(TM)based
> >> development
> >> > software that enables intelligent coding and step-through debugging.
> >> > Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> >> > _______________________________________________
> >> > Snort-users mailing list
> >> > Snort-users at lists.sourceforge.net
> >> > Go to this URL to change user options or unsubscribe:
> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >> > Snort-users list archive:
> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> >
> >> >
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> >> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> >> easily build your RIAs with Flex Builder, the Eclipse(TM)based
> >> development
> >> software that enables intelligent coding and step-through debugging.
> >> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >
> >
> >
> > --
> > Joel Esler
> > T: 302-223-5974 (-) Gtalk: jesler at ...1935...
> > [m]
> >
> ------------------------------------------------------------------------------
> > Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> > powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> > easily build your RIAs with Flex Builder, the Eclipse(TM)based
> development
> > software that enables intelligent coding and step-through debugging.
> > Download the free 60 day trial.
> >
> http://p.sf.net/sfu/www-adobe-com_______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>


-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at ...1935...
[m]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090324/fe3e798c/attachment.html>


More information about the Snort-users mailing list