![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Barnyard and ACID question
From: roel () SiliconDefense com
Date: Mon, 05 Nov 2001 16:11:49 -0800
Wozz, Looks like a byteswap somewhere, guessing a ntohs()/htons() missing somewhere. 80 -> 0x50 20480 -> 0x5000 57561 -> 0xe0d9 55776 -> 0xd9e0 Curiosity what platform are you running this on? (I'm guessing this only occurs on either big endian or little endian machines, but not both.) roel PS. Apologize for the cross post to snort-develop, but I think that's were the people are that need to know.
I'm noticing some problems with barnyard and the mysql output plugin. After some correlation, here's the real headers for the event (from the barnyard log output plugin) [**] [1:1002:1] WEB-IIS cmd.exe access [**] [Classification: Attempted User Privilege Gain] [Priority: 8] Event ID: 692 Event Reference: 0 11/03/01-11:34:37.020121 a.b.c.130:55776 -> x.y.z.64:80 TCP TTL:50 TOS:0x0 ID:37849 IpLen:20 DgmLen:208 DF ***AP*** Seq: 0x6CA76E65 Ack: 0x636CB06B Win: 0x2238 TcpLen: 32 For some reason, when using the mysql output plugin in barnyard, the source port is being munged from the correct 55776 to 57561, and the destination port from 80 to 20480. I've confirmed that this is the data that is being inserted into mysql (as opposed to it being an ACID display problem). This is consistant across all alerts being inserted into mysql (as far as I can tell) Is this a known bug?
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard and ACID question Wozz (Nov 05)
- Re: Barnyard and ACID question roel (Nov 05)
- Re: Barnyard and ACID question Wozz (Nov 05)
- Re: Barnyard and ACID question Andrew R. Baker (Nov 06)
- <Possible follow-ups>
- RE: Barnyard and ACID question Steve Halligan (Nov 06)
- Re: Barnyard and ACID question Andrew R. Baker (Nov 06)
- RE: Barnyard and ACID question Steve Halligan (Nov 06)
- Re: Barnyard and ACID question Andrew R. Baker (Nov 06)
- Re: Barnyard and ACID question Wozz (Nov 07)
- Re: Barnyard and ACID question Wozz (Nov 07)
- Re: Barnyard and ACID question Andrew R. Baker (Nov 06)
- RE: Barnyard and ACID question Steve Halligan (Nov 06)
- Re: Barnyard and ACID question Andrew R. Baker (Nov 06)
- Re: Barnyard and ACID question roel (Nov 05)