[Snort-users] Incorrect IP Flags Values in database output.

beenph beenph at ...11827...
Mon Aug 15 22:53:14 EDT 2011

On Mon, Aug 15, 2011 at 8:53 PM, Joel Esler <jesler at ...1935...> wrote:
> Hopefully the barnyard folks will see this thread and comment on their
> code.
> Sent from my iPhone
> On Aug 15, 2011, at 20:34, kareem at ...15353... wrote:
> I think that I originally found this running barnyard2.  It looks like there
> is a lot of code reuse between barnyard2 and snort.  Decode.c and
> spo_database.c are used in both and the versions appear to be very similar.
> Although the unified2 output is correct, the problem then propagates into
> barnyard. I still get an invalid pcap from base.
> Thanks to both of you for the fast response.

I see tha the main issue is the way base reconstruct a pcap file from
whats is logged.

This being said, there is not mutch we can do for now to make this
work since theses pieces of codes
(spo_databases) that uses the ACID schema haven't changed since nearly a decade.

A simple and easy solution would be to hex the packet payload and log
it directly and when
 the process is ready to make a pcap for selected event,
it only have to wrap the hexed payload to generate the pcap file.

This is probably something that will come along in a new proposed
schema but meanwhile i do not see any simple fix since
for now barnyard2 spo_database and the ACID schema will probably stay
like they are until they are depricated in barnyard2.


More information about the Snort-users mailing list