Re: SnortDB Extra

[Gary_Portnoy () itginc com]

Joshua,

yeah, I noticed this too.  It seems that when the table was generated the 
"number" column was calculated incorrectly, at least as far as what it's 
used for.  It was showing incorrect flags in OpenAanval console for me. 
The orignal calculation treats the left-most bit in the TCP flags location 
as a least significant digit, whereas it should be most significant.

I wrote a little php script to recalculate the values and repopulate the 
table with the correct values.  After that I had no issues. Here is the 
script, replace the database info and be wary of wrapped lines:

<?php

$DBhost = "dbhost";
$DBuser = "user";
$DBpass = "pass";
$DBName = "dbname";
$table = "flags";
mysql_connect($DBhost,$DBuser,$DBpass) or die("Unable to connect to 
database");
mysql_select_db("$DBName") or die("Unable to select database $DBName");
$result = mysql_query("SELECT * FROM $table order by number");
while ($row = mysql_fetch_row($result)) {
        $is = $row[0];
        $should_be = 
$row[1]*128+$row[2]*64+$row[3]*32+$row[4]*16+$row[5]*8+$row[6]*4+$row[7]*2+$row[8];
        print ("Number is $is, should be $should_be<br>");
        $update = "UPDATE $table SET number='$should_be' where 
RES1='$row[1]' and RES2='$row[2]' and URG='$row[3]' and ACK='
$row[4]' and PSH='$row[5]' and RST='$row[6]' and SYN='$row[7]' and 
FIN='$row[8]'";
        mysql_query($update) or die ("Unable to update");
        $is = 0;
        $should_be = 0;
}
?>

----Original Message----
Message: 4
Date: Tue, 8 Jun 2004 13:49:20 -0500
From: "Joshua Berry" <jberry () PENSON COM>
To: <snort-users () lists sourceforge net>
Subject: [Snort-users] SnortDB Extra

Maybe I am using it wrong, but the flags table from SnortDB Extra seems
to be off in many places.  For instance, when I lookup a SYN/FIN alert
the tcp_flags number in tcphdr associated with the alert is 3.  But
looking up 3 in the flags table produces this description:

NULL Packet (reserved bit 1 & 2 active)

Is this wrong or am I interpreting the value of the fields wrong?






-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
This message is for the named person's use only. This communication is for 
informational purposes only and has been obtained from sources believed to 
be reliable, but it is not necessarily complete and its accuracy cannot be 
guaranteed. It is not intended as an offer or solicitation for the purchase
or sale of any financial instrument or as an official confirmation of any
transaction. Moreover, this material should not be construed to contain any
recommendation regarding, or opinion concerning, any security. It may
contain confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission. If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender. You must not, directly or indirectly, use, disclose, distribute, 
print, or copy any part of this message if you are not the intended 
recipient.  Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is 
authorized to state them to be the views of any such entity.

ITG Inc. reserves the right to monitor and archive all electronic 
communications through its network. 

ITG Inc. Member NASD, SIPC
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-



-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users