Snort mailing list archives
Re: Missing events
From: sekure <sekure () gmail com>
Date: Fri, 2 Jul 2004 08:25:30 -0400
Just wanted to follow up and see if anyone had any ideas. I ran two queries against my database, one to count all the events in the "event" table, and one to count all the events in the "iphdr" table. This illustrates that some events are missing. Theoretically they should be the same since every event should at least have an IP header. If anyone out there is using barnyard, could you run the same queries for me and post the results? mysql> select sid, count(sid) from iphdr group by sid; +-----+------------+ | sid | count(sid) | +-----+------------+ | 1 | 20517 | | 2 | 13843 | | 3 | 9926 | | 4 | 3459 | | 5 | 3160 | | 6 | 10098 | +-----+------------+ 6 rows in set (2.17 sec) mysql> select sid, count(sid) from event group by sid; +-----+------------+ | sid | count(sid) | +-----+------------+ | 1 | 20526 | | 2 | 13843 | | 3 | 9962 | | 4 | 3462 | | 5 | 3173 | | 6 | 10127 | +-----+------------+ 6 rows in set (1.86 sec) Thanks, On Wed, 30 Jun 2004 09:47:32 -0400, sekure <sekure () gmail com> wrote:
I appologize in advance for cross-posting to both snort-users and barnyard-users lists. I am not really sure where the problem occurs, so i feel like both groups can contribute here. First a little background: I am running Snort 2.1.3, logging in unified format, using barnyard 0.2.0 to insert events into a remote database. The issue: I am using OpenAanval as a GUI to view the events and on the backend it uses it's own database and does some post processing with the snort database. Just for the hell of it I decided to dump the count() of events in both tables and noticed that the snort "event" table had a few more events than OpenAanval. I initally thought it was a problem with OpenAanval, but some research indicates otherwise. Just to give the approximate scale of the problem I am missing about 100 events out of 50K total logged. I identified the missing events, and went back to the snort database to look them up. What I found is that even though an entry for an event exists in the "event" table, no entry exists for the event in either "iphdr", "tcphdr" or "data" tables. One example of this behavior: Snort logged 7 attempts at http directory traversal across 7 of my web servers. 7 rows are created in the "event" table, but only 5 in the iphdr, tcphdr and data tables. I went further back, to the original sensor and dumped the contents of the pcap file snort outputs along with the unified log. The pcap file contains all 7 events. I then reconfigured barnyard to output the processed logs in pcap format and pointed it at the log in question. The created pcap also had 7 events, all identical to each other and to the original pcap written by snort with the exception of expected things like dest. IPs and Seq/Ack #s. This indicates that Snort correctly writes the unified log file. So, somewhere in the process of writing these events to the database barnyard loses some of the relevant information, and only inserts a portion of the event. Has anyone experienced anything like this? Any suggestions of things to try?
------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Missing events sekure (Jul 02)