Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Corrupted Payloads in MySQL DB?

From: Nick Lange <nlange () usb com>
Date: Thu, 03 Oct 2002 10:36:57 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
I was just digging through the FAQ looking for this and could not find it, so here we go... we have two sensors on our network, one listening on a one-way only interface and the other between our lan router and firewall. I've just now started looking at the Data (wasn't my job before) that has been collected for some time and noticed that some of the payloads are quite corrupted. Since the data captured is fairly useless, I'm going to be upgrading snort and moving the corrupted data to it's own little directory for "special" databases, replacing it w/ a fresh db; however, I'm asking this question now in the hopes that I don't run into the same situation again. 

If anyone has anyideas, I'd love to hear them.
Cheers,
nick

Sensor 1&2:

- -*> Snort! <*-
Version 1.8.3 (Build 88)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
echo "select * from data where sid=3 and cid=1393;" | ./mysql -u root -p snort | perl -e '<STDIN>; $_ =<STDIN>;split(/\s+/); $_ = pop(@_); my @d = $_=~/(..)/g; foreach (@d){ print chr(hex($_));} print "\n"' 

returns....

GET /stocks/detailquote.php?ticker=BSYS HTTP/1.1
User-Agent: InetURL/1.0
Host: www.pcquote.com
Cache-Control: no-cache
///???? Packets get mixed up here, below here is from a different site.
ection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

547
<HTML><TITLE>The Current Queue Status as of Thu Oct 3 01:33:27 2002</TITLE><META HTTP-EQUIV=Refresh CONTENT="10;"><LINK REL=StyleSheet HREF="/~nlange/uranium.css" MEDIA=all>The Queue status as of Thu Oct 3 01:33:27 2002 is<BR> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6-2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAj2cZB4ACgkQnGOSY0xqzuN8hQCfb+w0/ljryi+QyMOgsliPijhX
ODUAoI0T8D56HwUTtO0nElQimqeXGFxl
=PjBo
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: