Snort mailing list archives
Re: Discrepency between Base and linked packet
From: Joel Esler <eslerj () gmail com>
Date: Tue, 24 Mar 2009 08:50:32 -0400
We'll need to know more about the setup. BASE simply reads what is in the DB. If it's a parsing issue with BASE, reading out of the DB, then Kevin can speak to that, however, if the problem lies in the data that is actually in the DB, then I have to ask how it is getting in there. Generally Accepted Best Practice is to have Snort log in "unified" mode, and have an external tool like barnyard or SnortUnified.pm read the Unified files and put them into the DB. How is your setup configured? (Writing from Snort directly to the DB is never recommended.) Joel On Tue, Mar 24, 2009 at 8:44 AM, Bruno G. San Alejo <bgonzalez () polar es>wrote:
Hi everyone, I posted like 4 weeks ago something about some problems with what Snort logs, what Base shows, and what Base saves as pcap file. Maybe that is what you are talking about? What I saw was that the packet logged with Snort was the right one. The packet logged to the DB had some issues. These could be seen in: -what Base shows, for ICMP redirect packets (that was what I was focusing on) the id and the seq# were being logged instead of the gateway's IP, I submitted a temporary fix that takes care of it and I'm currently testing a fix for Snort and Base that will definitely take care of this if they are approved. The problem was the way that the packet was being parsed and the schema at the DB, which had fields that are not present in all the types of ICMP, but that are non null. -what Base saves in pcap, wrong MAC addresses and shorter timestamps. As you say, discrepancies at the Network, Transport, and Data layers. I have not look into this as I am working in the other issue, but if no one comments on this one, I'll dive into the code shortly. Thanks. Matthew Babcock wrote:Hello all, A short time back I noticed someone was talking about an issue where the packet downloaded via base had different headers then shown between wireshark and base. The top layers are represented the same in Base and the .pcap. Howeverthebottom layers are not correct. The data in the Data Link and Network layers is just wrong, the Transport layer also cites bad TCP Checksums. Thanks in advance. What was the reason and fix? Also, is the mailing list archived somewhere? Regards, -- Matthew R. Babcock CEO, Principal Consultant A & R Technology Consulting - Providing solutions, not limitations - MBabcock () AandRTech com (508) 397-8280------------------------------------------------------------------------------Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)baseddevelopmentsoftware that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler T: 302-223-5974 (-) Gtalk: jesler () sourcefire com [m]
------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Discrepency between Base and linked packet Matthew Babcock (Mar 23)
- Re: Discrepency between Base and linked packet Bruno G. San Alejo (Mar 24)
- Re: Discrepency between Base and linked packet Joel Esler (Mar 24)
- Re: Discrepency between Base and linked packet Bruno G. San Alejo (Mar 24)
- Re: Discrepency between Base and linked packet Joel Esler (Mar 24)
- Re: Discrepency between Base and linked packet Matthew Babcock (Mar 24)
- Re: Discrepency between Base and linked packet Joel Esler (Mar 24)
- Re: Discrepency between Base and linked packet Joel Esler (Mar 24)
- Re: Discrepency between Base and linked packet Bruno G. San Alejo (Mar 24)