Snort mailing list archives
Re: Why can't I see tcp flags for a triggered alert (snort+base)
From: John Huss <john.huss () thebunker net>
Date: Fri, 23 Jan 2009 10:08:17 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joel Esler wrote:
John, Don't think you screwed anything up. I'd like you to try something, if Snort can log directly to the db, does it log the tcp flags? Joel
Good Morning Joel and everyone, Thank you for your suggestion, I tried the following: Comment out these lines in snort.conf: #output alert_unified: filename snort.alert, limit 128 #output log_unified: filename snort.log, limit 128 Added this line: output database: log, mysql, user=snort password=snort dbname=snort host=127.0.0.1 Then I stopped barnyard so that couldn't interfere. Re-ran my attacks on my server, checked the alerts and I can happily confirm that I now see the SYN flag set in Base. Thank you very much for suggesting that idea, I can now see what I need to in order to build on my very simple first attempt at writing snort rules! - - Thanks to Shirkdog for suggesting I upgrade Snort. I'm running Gentoo and have fully updated it this morning, however the latest version it will let me install (without unmasking) is: 2.6.1.3-r1 By doing the usual /etc/portage/package.keywords ~x86 stuff, I can see that it /would/ upgrade snort to 2.6.1.4 which still seems to be quite short of the version on the website. Before upgrading I'm going to have a read of change-log and see if there's anything mentioned related to my barnyard issue. Thanks again to everyone who has helped me. I think we're very close to getting it working now. Just need to get barnyard to do the tcp header flags because eventually this snort box will need to cope with processing a ton of traffic. Right, off to read changelogs now and maybe try upgrading snort! Kind Regards, Johnny -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl5lxEACgkQ3CnaOmsSwV8r5QCeNAXWvO/sYVNWRgHvBppjwcOL gbcAoI67o9P46OKM52uWuXkQUzsdNoTt =bbbk -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) pieter claassen (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Shirk Dog (Jan 22)