Re: [Snort-devel] Logging to DB it's done differently than to a file.

[Steven Sturges <steve.sturges () sourcefire com>]

Hi Bruno--

The other 4 types that have nothing in those 4 bytes where
the Redirect has the gateway IP address, so they skip past
it to get to the embedded IP header.

The gateway address for the redirect is avilable via the
union that is defined in the ICMPHdr structure.  It is in
the same place as the id/seq bytes for other types, so
the data is there, just logged in a strange way.

It sounds like, based on the icmp_type, you want it to log
a 32 bit value, rather than 2 16 bit values?  Can you convert
them on the back-end in BASE or some other post-processing
software?

A change to the database logging for Snort would also require
a schema change.

Cheers
-steve

Bruno G. San Alejo wrote:
> Hi, I have found how Snort logs to a file and to the DB and maybe it's
> the cause of why I seem to have ICMP redirect packages with the wrong
> gateway's IP.
>
>     To make a really long story short, when logging to a file Snort uses
> the pcap_dump() function than (if I'm not mistaken) logs the packet as
> it gets it from Snort. When logging to the DB, the ICMP packet gets
> parsed and the insert is as follows in the Database() func:
>
> ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH,
>                                             "INSERT INTO "
>                                             "icmphdr (sid, cid,
> icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) "
>                                             "VALUES (%u,%u,%u,%u,%u,%u,%u)",
>                                             data->shared->sid,
> data->shared->cid, p->icmph->type,
>                                             p->icmph->code,
> ntohs(p->icmph->csum),
>                                             ntohs(p->icmph->s_icmp_id),
> ntohs(p->icmph->s_icmp_seq));
>
> Note the references to p->icmph->s_icmp_seq and p->icmph->s_icmp_id.
> Now, ICMP redirect packets don't have those fields, they have the
> gateway's IP instead.
>
>     Since the packets are not "decoded" but the actual packet is laid
> over the Packet struct which contains unions, those fields have data,
> though not valid one. Maybe the IP for the gateway is there.
>
>     The result is that when I see the Snort logged packets in pcap
> format, they are correct, but the ones seen through BASE or saved to
> pcap through BASE, are not. The ones shown through BASE have wrong
> gateway's IPs. Also, BASE gets the gateway's IP from someplace else
> which I think is not the IP. So, that is an issue also.
>
>     I'm sorry to be a pain in the neck with this issue but I would like
> someone to correct me or maybe there is something to be solved in here.
>
>     Thanks.
>
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users