Snort mailing list archives
RE: Snort DB Logging Problem
From: "Jeff Dell" <jdell () activeworx com>
Date: Mon, 16 Aug 2004 11:44:50 -0400
Bill, I had a few students that had the same problem... The problem: SANS cleans the data, breaking the checksums and Snort doesn't like this. Therefore it discards the packets. The fix: Disable checking for the checksum by Add "-k none" to your command line. Cheers, Jeff -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Bill Gercken Sent: Sunday, August 15, 2004 1:35 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort DB Logging Problem Hi, I am trying to use snort to load some of the SANS libpcap files into an acid database using snort and the database output plugin. My configuration file is as follows: # conf file to log to the database. # output database: log, mysql, user=suser password=pass \ dbname=snort host=localhost detail=full sensor_name=blah log tcp any any <> any any (msg:"tcp any";) log udp any any <> any any (msg:"udp any";) log icmp any any <> any any (msg:"icmp any";) from the command line i use: snort -c db-log.conf -r 2003.12.15.1 When I run the command against a big-endian file it process the data fine and provides the following output: <snip> Snort processed 36562 packets. ========================================================= Breakdown by protocol: TCP: 32906 (90.001%) UDP: 141 (0.386%) ICMP: 2587 (7.076%) ARP: 118 (0.323%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 730 (1.997%) DISCARD: 80 (0.219%) ========================================================= Action Stats: ALERTS: 80 LOGGED: 33729 PASSED: 0 </snip> file command output: 2003.12.15.1: tcpdump capture file (big-endian) - version 2.4 (Ethernet, capture length 96) but when I run against any of the SANS little-endian files, nothing is logged: snort -c db-log.conf -r 2002.9.9 output: Snort processed 1051 packets. ========================================================= Breakdown by protocol: TCP: 1051 (100.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) ========================================================= Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 file command output: 2002.9.9: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 1514) I can load little-endian files that I have captured locally, so it appears to be isolated to the SANS files. I have tried this with snort 2.3 and snort 2.20. Has any one seen this problem. Am I missing something? Thanks and Regards, -bill ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort DB Logging Problem Bill Gercken (Aug 16)
- RE: Snort DB Logging Problem Jeff Dell (Aug 16)