Snort mailing list archives
RE: Come hither payload--->>>Fixed
From: "Gould, Scott" <sgould () gogstats org>
Date: Fri, 21 May 2004 20:59:56 -0400
My sensor table got whacked somehow. The encoding field values were all NULL. They needed to be set to 0,or 1, or 2 based upon type of encoding. All fixed. Just an FYI for anyone that may encounter the same problem. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Gould, Scott Sent: Friday, May 21, 2004 1:27 AM To: Gould, Scott; snort-users () lists sourceforge net Subject: RE: [Snort-users] Come hither payload One other note to add, queries via ACID against payload data return successfully, but still not showing any displayed payload data in the web page I'm stumped -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Gould, Scott Sent: Friday, May 21, 2004 1:17 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Come hither payload OK, here's the deal: RH EL 3 Update 1 Snort 2.1.2 Using unified_log Acid (latest) Barnyard 0.2 Processing *.log.<stamp> files with no problems Apache 2.0.49 PHP 4.3.3 Everything working like a champ except the payloads don't show up in ACID. Result of grep against ACID install directory for data_payload: acid_action.inc: $sql = "SELECT data_payload FROM data WHERE sid='$sid' AND cid='$cid'"; acid_action.inc: $sql = "INSERT INTO data (sid,cid, data_payload) VALUES ". acid_common.php: $sql2 = "SELECT data_payload FROM data WHERE sid='".$sid."' AND cid='".$cid."'"; acid_qry_alert.php: $sql2 = "SELECT data_payload FROM data WHERE sid='".$sid."' AND cid='".$cid."'"; acid_qry_common.php: $tmp = $field[$i][0]." data_payload ".$field[$i][1]." '%".FormatPayload($field[$i][2], $data_encode). So, the queries are in the ACID code. I have confirmed the existence of the payload info in the mysqldb existence via direct queries against the mysql db as the same user that ACID uses to access the db, using mysql tols. There is no doubt that the Table "data" is populated with data in the fields sid, cid, and data_payload Data is flowing AOK from snort->unified log file->barnyard->mysqldb Yet ACID doesn't show a payload for anything. Any ideas? ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=ick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=ick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Come hither payload--->>>Fixed Gould, Scott (May 21)
- barnyard manual bonnie buwono (May 21)