[Snort-users] Snort and Barnyard2
jbitto at ...16055...
Wed Feb 6 16:21:41 EST 2013
Ok so if I wanted to run a query where I wanted the src and dst IP plus view event and signature tables as well....Can that be done?
Also....would running these query's have the data line up with the actual date and times that the event actually occurred?
From: beenph [mailto:beenph at ...11827...]
Sent: Wednesday, February 06, 2013 12:31 PM
To: Y M
Cc: Josh Bitto; snort-users at lists.sourceforge.net; barnyard2-users at ...16082......
Subject: Re: [Snort-users] Snort and Barnyard2
On Wed, Feb 6, 2013 at 2:43 PM, Y M <snort at ...15979...> wrote:
> Sorry for not detailing my reply. For example try querying snort
> SELECT ip_src, INET_NTOA(ip_src)
> FROM acid_event;
IP src/dst data in the default schema is not stored in the acid_event table but the iphdr table.
So a query could look like this:
SELECT INET_NTOA(ip_src),INET_NTOA(ip_dst) FROM iphdr WHERE sid="XXX"
> From: Josh Bitto
> Sent: 2/6/2013 10:05 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort and Barnyard2
> Has anyone else had this issue come up where when you export the data
> from your database the IP's listed do not correspond with the actual
> IP addresses that have been captured when an event happens?
Now, i am not sure i understand what Josh Bitto mean by "the store IP are not the same as the captured IP".
barnyard2 will store whats found in the unified2 file, did you validate the content of your unified2 file using u2spewfoo or u2boat to export contained packets to pcap file and compare that information?
More information about the Snort-users