Snort mailing list archives
Re: Snort and Barnyard2
From: Y M <snort () outlook com>
Date: Wed, 6 Feb 2013 23:39:05 +0300
Yes you are right. The acid_event table gets created if/when using BASE and holds data aggregated for populating the base_query_main.php once requested. I wrote that sample query for simplicity and could mistakenly assumed that BASE is in use. Thanks for pointing this out. YM ________________________________ From: beenph<mailto:beenph () gmail com> Sent: 2/6/2013 11:30 PM To: Y M<mailto:snort () outlook com> Cc: Josh Bitto<mailto:jbitto () onlineschool ca>; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>; barnyard2-users () googlegroups com<mailto:barnyard2-users () googlegroups com> Subject: Re: [Snort-users] Snort and Barnyard2 On Wed, Feb 6, 2013 at 2:43 PM, Y M <snort () outlook com> wrote:
Sorry for not detailing my reply. For example try querying snort database with: SELECT ip_src, INET_NTOA(ip_src) FROM acid_event;
IP src/dst data in the default schema is not stored in the acid_event table but the iphdr table. So a query could look like this: Assuming mysql: SELECT INET_NTOA(ip_src),INET_NTOA(ip_dst) FROM iphdr WHERE sid="XXX" AND cid="XXX";
From: Josh Bitto Sent: 2/6/2013 10:05 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort and Barnyard2 Has anyone else had this issue come up where when you export the data from your database the IP's listed do not correspond with the actual IP addresses that have been captured when an event happens?
Now, i am not sure i understand what Josh Bitto mean by "the store IP are not the same as the captured IP". barnyard2 will store whats found in the unified2 file, did you validate the content of your unified2 file using u2spewfoo or u2boat to export contained packets to pcap file and compare that information? -elz
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort and Barnyard2, (continued)
- Re: Snort and Barnyard2 Josh Bitto (Feb 06)
- Re: Snort and Barnyard2 Y M (Feb 06)
- Re: Snort and Barnyard2 Y M (Feb 06)
- Re: Snort and Barnyard2 Josh Bitto (Feb 07)
- Re: Snort and Barnyard2 Josh Bitto (Feb 07)
- Re: Snort and Barnyard2 beenph (Feb 07)
- Re: Snort and Barnyard2 Josh Bitto (Feb 07)
- Re: Snort and Barnyard2 Josh Bitto (Feb 07)
- Re: Snort and Barnyard2 Josh Bitto (Feb 07)