Snort mailing list archives
Re: Discrepency between Base and linked packet
From: "Bruno G. San Alejo" <bgonzalez () polar es>
Date: Tue, 24 Mar 2009 13:44:12 +0100
Hi everyone, I posted like 4 weeks ago something about some problems
with what Snort logs, what Base shows, and what Base saves as pcap file.
Maybe that is what you are talking about?
What I saw was that the packet logged with Snort was the right one.
The packet logged to the DB had some issues. These could be seen in:
-what Base shows, for ICMP redirect packets (that was what I was
focusing on) the id and the seq# were being logged instead of the
gateway's IP, I submitted a temporary fix that takes care of it and I'm
currently testing a fix for Snort and Base that will definitely take
care of this if they are approved. The problem was the way that the
packet was being parsed and the schema at the DB, which had fields that
are not present in all the types of ICMP, but that are non null.
-what Base saves in pcap, wrong MAC addresses and shorter
timestamps. As you say, discrepancies at the Network, Transport, and
Data layers. I have not look into this as I am working in the other
issue, but if no one comments on this one, I'll dive into the code shortly.
Thanks.
Matthew Babcock wrote:
Hello all, A short time back I noticed someone was talking about an issue where the packet downloaded via base had different headers then shown between wireshark and base. The top layers are represented the same in Base and the .pcap. However the bottom layers are not correct. The data in the Data Link and Network layers is just wrong, the Transport layer also cites bad TCP Checksums. Thanks in advance. What was the reason and fix? Also, is the mailing list archived somewhere? Regards, -- Matthew R. Babcock CEO, Principal Consultant A & R Technology Consulting - Providing solutions, not limitations - MBabcock () AandRTech com (508) 397-8280 ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Discrepency between Base and linked packet Matthew Babcock (Mar 23)
- Re: Discrepency between Base and linked packet Bruno G. San Alejo (Mar 24)
- Re: Discrepency between Base and linked packet Joel Esler (Mar 24)
- Re: Discrepency between Base and linked packet Bruno G. San Alejo (Mar 24)
- Re: Discrepency between Base and linked packet Joel Esler (Mar 24)
- Re: Discrepency between Base and linked packet Matthew Babcock (Mar 24)
- Re: Discrepency between Base and linked packet Joel Esler (Mar 24)
- Re: Discrepency between Base and linked packet Joel Esler (Mar 24)
- Re: Discrepency between Base and linked packet Bruno G. San Alejo (Mar 24)