Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ICMP DB Issues

From: "Joshua Berry" <jberry () PENSON COM>
Date: Tue, 20 Jul 2004 14:19:05 -0500
DB Output configuration:

output database: alert, postgresql, user=<db_user_name>
password=<db_password> dbname=<db_name> host=<db_ip_addr>
sensor_name=<sensor_name> detail=full

-----Original Message-----
From: sekure [mailto:sekure () gmail com] 
Sent: Tuesday, July 20, 2004 2:07 PM
To: Joshua Berry
Subject: Re: [Snort-users] ICMP DB Issues

Strange indeed...

According to the snort manual, you can configure the detail level for
the database output module to either "fast" or "full".  Obviously fast
logs less detail than full.  I don't know what it defaults to, so you
might want to check on that.

Post your output module line, maybe someone with more knowledge than
myself can find something wrong with it. Sorry I can't offer any more
suggestions, since I am not using snort's db output module, but like i
said, processing unified logs through barnyard works for me.

On Tue, 20 Jul 2004 13:45:33 -0500, Joshua Berry <jberry () penson com>
wrote:

Yes, I am querying the icmphdr table and the icmp_seq and icmp_id

fields

are empty (null).  Do you mean logging in alert or log mode?  You

cannot

use -A full or -A fast for DB output.



-----Original Message-----
From: sekure [mailto:sekure () gmail com]
Sent: Tuesday, July 20, 2004 1:44 PM
To: Joshua Berry
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] ICMP DB Issues

Are you querying the icmphdr table?

Are you logging in full or fast mode?

On Tue, 20 Jul 2004 13:27:44 -0500, Joshua Berry <jberry () penson com>
wrote:

It isn't the display, because I have coded my own PHP based SIM.  I

did

a query for all ICMP ID's or Sequences that weren't NULL and came

back

with nothing.

I am not using barnyard or mudpit or any other plugin, just the DB
output option from Snort and it seems to not insert this data.



-----Original Message-----
From: sekure [mailto:sekure () gmail com]
Sent: Tuesday, July 20, 2004 1:26 PM
To: Joshua Berry
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] ICMP DB Issues

I am using barnyard to insert the unified logs into a remote

database,

and whereas i don't normally see those particular types of alerts,
other ICMP alerts have the following information: icmp_type,
icmp_code, icmp_csum, icmp_id, icmp_seq.

Now whether or not they get displayed by your front end ( ACID,
OpenAanval) is a whole different story.

On Tue, 20 Jul 2004 13:04:09 -0500, Joshua Berry <jberry () penson com>
wrote:

I have had an issue for some time where I will get alerts such as

"DDOS

- TFN client command LE" which revolves around the ICMP ID, ICMP
Sequence, and Type.  However, the ICMP ID and Sequence is NEVER

entered

into the database, just the Type and Code.  Has anyone else

noticed

this?

Josh Berry, CISSP & MCSE
Information Security
214-765-1296



--------------------------------------------------------------------

If you spend more on coffee than on IT security, you will be

hacked.

What's more, you deserve to be hacked.
    -- (Former) White House Cybersecurity adviser Richard Clarke

-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users








-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: