Snort mailing list archives
Corrupted Payloads in MySQL DB?
From: Nick Lange <nlange () usb com>
Date: Thu, 03 Oct 2002 10:36:57 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,I was just digging through the FAQ looking for this and could not find it, so here we go... we have two sensors on our network, one listening on a one-way only interface and the other between our lan router and firewall. I've just now started looking at the Data (wasn't my job before) that has been collected for some time and noticed that some of the payloads are quite corrupted. Since the data captured is fairly useless, I'm going to be upgrading snort and moving the corrupted data to it's own little directory for "special" databases, replacing it w/ a fresh db; however, I'm asking this question now in the hopes that I don't run into the same situation again.
If anyone has anyideas, I'd love to hear them. Cheers, nick Sensor 1&2: - -*> Snort! <*- Version 1.8.3 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org)echo "select * from data where sid=3 and cid=1393;" | ./mysql -u root -p snort | perl -e '<STDIN>; $_ =<STDIN>;split(/\s+/); $_ = pop(@_); my @d = $_=~/(..)/g; foreach (@d){ print chr(hex($_));} print "\n"'
returns.... GET /stocks/detailquote.php?ticker=BSYS HTTP/1.1 User-Agent: InetURL/1.0 Host: www.pcquote.com Cache-Control: no-cache ///???? Packets get mixed up here, below here is from a different site. ection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 547<HTML><TITLE>The Current Queue Status as of Thu Oct 3 01:33:27 2002</TITLE><META HTTP-EQUIV=Refresh CONTENT="10;"><LINK REL=StyleSheet HREF="/~nlange/uranium.css" MEDIA=all>The Queue status as of Thu Oct 3 01:33:27 2002 is<BR>
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6-2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAj2cZB4ACgkQnGOSY0xqzuN8hQCfb+w0/ljryi+QyMOgsliPijhX ODUAoI0T8D56HwUTtO0nElQimqeXGFxl =PjBo -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Corrupted Payloads in MySQL DB? Nick Lange (Oct 03)