Snort mailing list archives
Come hither payload
From: "Gould, Scott" <sgould () gogstats org>
Date: Fri, 21 May 2004 01:17:27 -0400
OK, here's the deal: RH EL 3 Update 1 Snort 2.1.2 Using unified_log Acid (latest) Barnyard 0.2 Processing *.log.<stamp> files with no problems Apache 2.0.49 PHP 4.3.3 Everything working like a champ except the payloads don't show up in ACID. Result of grep against ACID install directory for data_payload: acid_action.inc: $sql = "SELECT data_payload FROM data WHERE sid='$sid' AND cid='$cid'"; acid_action.inc: $sql = "INSERT INTO data (sid,cid, data_payload) VALUES ". acid_common.php: $sql2 = "SELECT data_payload FROM data WHERE sid='".$sid."' AND cid='".$cid."'"; acid_qry_alert.php: $sql2 = "SELECT data_payload FROM data WHERE sid='".$sid."' AND cid='".$cid."'"; acid_qry_common.php: $tmp = $field[$i][0]." data_payload ".$field[$i][1]." '%".FormatPayload($field[$i][2], $data_encode). So, the queries are in the ACID code. I have confirmed the existence of the payload info in the mysqldb existence via direct queries against the mysql db as the same user that ACID uses to access the db, using mysql tols. There is no doubt that the Table "data" is populated with data in the fields sid, cid, and data_payload Data is flowing AOK from snort->unified log file->barnyard->mysqldb Yet ACID doesn't show a payload for anything. Any ideas? ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Come hither payload Gould, Scott (May 20)
- <Possible follow-ups>
- RE: Come hither payload Gould, Scott (May 20)