Snort mailing list archives
Re: ICMP DB Issues
From: sekure <sekure () gmail com>
Date: Tue, 20 Jul 2004 14:43:45 -0400
Are you querying the icmphdr table? Are you logging in full or fast mode? On Tue, 20 Jul 2004 13:27:44 -0500, Joshua Berry <jberry () penson com> wrote:
It isn't the display, because I have coded my own PHP based SIM. I did a query for all ICMP ID's or Sequences that weren't NULL and came back with nothing. I am not using barnyard or mudpit or any other plugin, just the DB output option from Snort and it seems to not insert this data. -----Original Message----- From: sekure [mailto:sekure () gmail com] Sent: Tuesday, July 20, 2004 1:26 PM To: Joshua Berry Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] ICMP DB Issues I am using barnyard to insert the unified logs into a remote database, and whereas i don't normally see those particular types of alerts, other ICMP alerts have the following information: icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq. Now whether or not they get displayed by your front end ( ACID, OpenAanval) is a whole different story. On Tue, 20 Jul 2004 13:04:09 -0500, Joshua Berry <jberry () penson com> wrote:I have had an issue for some time where I will get alerts such as"DDOS- TFN client command LE" which revolves around the ICMP ID, ICMP Sequence, and Type. However, the ICMP ID and Sequence is NEVERenteredinto the database, just the Type and Code. Has anyone else noticed this? Josh Berry, CISSP & MCSE Information Security 214-765-1296 -------------------------------------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- (Former) White House Cybersecurity adviser Richard Clarke ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21&alloc_id040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21&alloc_id040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP DB Issues Joshua Berry (Jul 20)
- Re: ICMP DB Issues sekure (Jul 20)
- <Possible follow-ups>
- RE: ICMP DB Issues Joshua Berry (Jul 20)
- Re: ICMP DB Issues sekure (Jul 20)
- RE: ICMP DB Issues Joshua Berry (Jul 20)
- RE: ICMP DB Issues Joshua Berry (Jul 20)