Snort mailing list archives

Re: Incorrect IP Flags Values in database output.

From: beenph <beenph () gmail com>
Date: Mon, 15 Aug 2011 22:53:14 -0400

On Mon, Aug 15, 2011 at 8:53 PM, Joel Esler <jesler () sourcefire com> wrote:

Hopefully the barnyard folks will see this thread and comment on their
code.

Sent from my iPhone
On Aug 15, 2011, at 20:34, kareem () khan net wrote:

I think that I originally found this running barnyard2.  It looks like there
is a lot of code reuse between barnyard2 and snort.  Decode.c and
spo_database.c are used in both and the versions appear to be very similar.
Although the unified2 output is correct, the problem then propagates into
barnyard. I still get an invalid pcap from base.

Thanks to both of you for the fast response.


I see tha the main issue is the way base reconstruct a pcap file from
whats is logged.

This being said, there is not mutch we can do for now to make this
work since theses pieces of codes
(spo_databases) that uses the ACID schema haven't changed since nearly a decade.

A simple and easy solution would be to hex the packet payload and log
it directly and when
 the process is ready to make a pcap for selected event,
it only have to wrap the hexed payload to generate the pcap file.

This is probably something that will come along in a new proposed
schema but meanwhile i do not see any simple fix since
for now barnyard2 spo_database and the ACID schema will probably stay
like they are until they are depricated in barnyard2.

-elz

------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model 
configuration take the hassle out of deploying and managing Subversion and 
the tools developers use with it. Learn more about uberSVN and get a free 
download at:  http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation

Current thread:

Incorrect IP Flags Values in database output. kareem (Aug 15)
- Fwd: [Snort-users] Incorrect IP Flags Values in database output. Joel Esler (Aug 15)
- Re: Incorrect IP Flags Values in database output. Russ Combs (Aug 15)
  - Re: Incorrect IP Flags Values in database output. Joel Esler (Aug 15)
    - Re: Incorrect IP Flags Values in database output. kareem (Aug 15)
    - Re: Incorrect IP Flags Values in database output. Joel Esler (Aug 15)
    - Re: Incorrect IP Flags Values in database output. beenph (Aug 15)
    - Re: Incorrect IP Flags Values in database output. kareem (Aug 17)
    - Re: Incorrect IP Flags Values in database output. beenph (Aug 17)
  - Re: Incorrect IP Flags Values in database output. kareem (Aug 15)
    - Re: Incorrect IP Flags Values in database output. waldo kitty (Aug 15)