RE: snortdb-extra

["Hutchinson, Andrew" <Andrew.Hutchinson () Vanderbilt edu>]

The snortdb-extra tables are lookup tables.
 
Snort stores information pertaining to things like tcp flags, in a
numeric format.  For instance, here's some info from the iphdr table
pertaining to the ip protocol:
 
snort191=# select ip_proto from iphdr limit 10;
 ip_proto 
----------
        6
        6
        6
        6
        1
        1
        1
        1
        1
        1
(10 rows)

Doesn't tell you much, unless you know the assigned ip protocol numbers.
However, you can look up the protocols in the 'protocols' table:
 
snort191=# select * from protocols where protocol in ('1','6');
 protocol | name | description  
----------+------+--------------
        1 | ICMP | Internet
        6 | TCP  | Transmission
(2 rows)

Now you can map '1' to icmp, and '6' to tcp.  Handy.
 
 
Here's another example from the tcphdr table, looking at tcp_flags:
 
snort191=# select tcp_flags from tcphdr limit 10;
 tcp_flags 
-----------
        24
        24
        24
        24
        16
        16
        16
        16
        16
        16
(10 rows)

 
Doesn't tell you much, unless you can keep the tcp flag order straight
in your head.  But if you query the flags table...
 
snort191=# select * from flags where number in ('24','16');
 number | res1 | res2 | urg | ack | psh | rst | syn | fin | valid |
description                  
--------+------+------+-----+-----+-----+-----+-----+-----+-------+-----
------------------------------------------
     16 |    0 |    0 |   0 |   0 |   1 |   0 |   0 |   0 |     0 | PSH:
Standard/Invalid
     24 |    0 |    0 |   0 |   1 |   1 |   0 |   0 |   0 |     1 |
ACK|PSH: Acknowlegement with a push on packet
(2 rows)

 
You can see that a flag value of 16 means that the PSH bit is set, and a
24 means an ACK/PSH.
 
This also applies to the services table.  You can lookup what based on
the protocol and the port.  If you have an alert that uses tcp/80, you
can look up that that's http.  And so on.
 
As far as ACID is concerned, I unfortunately can't answer your question
- I don't use ACID.  However, I would imagine that if ACID gives you
protocol, tcp flag, or ip protocol breakdowns, then it's looking this
information up in these tables.
 
Hope that this helps,
 
Andrew
 

Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856 

        -----Original Message-----
        From: Paulo Gomes [mailto:vgomespt () yahoo com] 
        Sent: Thursday, April 10, 2003 7:20 AM
        To: snort-users () lists sourceforge net
        Subject: [Snort-users] snortdb-extra
        
        

        Hi,

        I'm running snort 1.9.0 with ACID v0.9.6b23.

        Everything seems OK when logging to the database.

        I've added to the Mysql snort DB the snortdb-extra tables by
executing the procedure found in the doc.

        My question is , how can I use the tables protocols and services
with ACID ?

        Is there any relation between thsi tables and the standard snort
and ACID tables ?

        My snort DB schema is 106.

        The tables created by snortdb-extra are used when and how ?

        Regards and thanks in advance.

        Viana Gomes

         

        
        
  _____  

        Do you Yahoo!?
        Yahoo! Tax Center
<http://us.rd.yahoo.com/finance/mailsig/*http://tax.yahoo.com>  - File
online, calculators, forms, and more