Snort mailing list archives
RE: Barnyard and ACID question
From: Steve Halligan <agent33 () geeksquad com>
Date: Tue, 6 Nov 2001 12:28:47 -0600
PS: The timestamps appear to be set to UTC. Both the snort/barnyard box and the database box are set to the correct time and timezone, but timestamps logged in the database are +6 hours (which would be utc from where I am). Not a bug, but is there anyway to change this behaviour?
-----Original Message----- From: Steve Halligan Sent: Tuesday, November 06, 2001 12:23 PM To: 'Andrew R. Baker'; Wozz Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Barnyard and ACID question I am having this problem also. OpenBSD 2.9-release here. Barnyard from CVS today. snort-unified-logfile is attached. I also noticed that sometimes (although not in this logfile, I believe) the ordering of the source ip address backwards also a.b.c.d becomes d.c.b.a. The dest ip is unaffected. -steve-----Original Message----- From: Andrew R. Baker [mailto:andrewb () snort org] Sent: Monday, November 05, 2001 11:44 PM To: Wozz Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Barnyard and ACID question Wozz wrote:I'm noticing some problems with barnyard and the mysqloutput plugin.After some correlation, here's the real headers for theevent (from thebarnyard log output plugin) [**] [1:1002:1] WEB-IIS cmd.exe access [**] [Classification: Attempted User Privilege Gain] [Priority: 8] Event ID: 692 Event Reference: 0 11/03/01-11:34:37.020121 a.b.c.130:55776 -> x.y.z.64:80 TCP TTL:50 TOS:0x0 ID:37849 IpLen:20 DgmLen:208 DF ***AP*** Seq: 0x6CA76E65 Ack: 0x636CB06B Win: 0x2238 TcpLen: 32 For some reason, when using the mysql output plugin inbarnyard, the sourceport is being munged from the correct 55776 to 57561, andthe destinationport from 80 to 20480. I've confirmed that this is thedata that is beinginserted into mysql (as opposed to it being an ACID displayproblem).This is consistant across all alerts being inserted intomysql (as far as Ican tell) Is this a known bug?Which version (and build) of snort are you using? Do youhave a smallunified alert file you could send me for testing? AFAIK,this shouldnot occur. I will look into it tomorrow. -A _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard and ACID question Wozz (Nov 05)
- Re: Barnyard and ACID question roel (Nov 05)
- Re: Barnyard and ACID question Wozz (Nov 05)
- Re: Barnyard and ACID question Andrew R. Baker (Nov 06)
- <Possible follow-ups>
- RE: Barnyard and ACID question Steve Halligan (Nov 06)
- Re: Barnyard and ACID question Andrew R. Baker (Nov 06)
- RE: Barnyard and ACID question Steve Halligan (Nov 06)
- Re: Barnyard and ACID question Andrew R. Baker (Nov 06)
- Re: Barnyard and ACID question Wozz (Nov 07)
- Re: Barnyard and ACID question Wozz (Nov 07)
- Re: Barnyard and ACID question Andrew R. Baker (Nov 06)
- RE: Barnyard and ACID question Steve Halligan (Nov 06)
- Re: Barnyard and ACID question Andrew R. Baker (Nov 06)
- Re: Barnyard and ACID question roel (Nov 05)