Snort mailing list archives
RE: ICMP DB Issues
From: "Joshua Berry" <jberry () PENSON COM>
Date: Tue, 20 Jul 2004 14:19:05 -0500
DB Output configuration: output database: alert, postgresql, user=<db_user_name> password=<db_password> dbname=<db_name> host=<db_ip_addr> sensor_name=<sensor_name> detail=full -----Original Message----- From: sekure [mailto:sekure () gmail com] Sent: Tuesday, July 20, 2004 2:07 PM To: Joshua Berry Subject: Re: [Snort-users] ICMP DB Issues Strange indeed... According to the snort manual, you can configure the detail level for the database output module to either "fast" or "full". Obviously fast logs less detail than full. I don't know what it defaults to, so you might want to check on that. Post your output module line, maybe someone with more knowledge than myself can find something wrong with it. Sorry I can't offer any more suggestions, since I am not using snort's db output module, but like i said, processing unified logs through barnyard works for me. On Tue, 20 Jul 2004 13:45:33 -0500, Joshua Berry <jberry () penson com> wrote:
Yes, I am querying the icmphdr table and the icmp_seq and icmp_id
fields
are empty (null). Do you mean logging in alert or log mode? You
cannot
use -A full or -A fast for DB output. -----Original Message----- From: sekure [mailto:sekure () gmail com] Sent: Tuesday, July 20, 2004 1:44 PM To: Joshua Berry Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] ICMP DB Issues Are you querying the icmphdr table? Are you logging in full or fast mode? On Tue, 20 Jul 2004 13:27:44 -0500, Joshua Berry <jberry () penson com> wrote:It isn't the display, because I have coded my own PHP based SIM. Idida query for all ICMP ID's or Sequences that weren't NULL and came
back
with nothing. I am not using barnyard or mudpit or any other plugin, just the DB output option from Snort and it seems to not insert this data. -----Original Message----- From: sekure [mailto:sekure () gmail com] Sent: Tuesday, July 20, 2004 1:26 PM To: Joshua Berry Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] ICMP DB Issues I am using barnyard to insert the unified logs into a remote
database,
and whereas i don't normally see those particular types of alerts, other ICMP alerts have the following information: icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq. Now whether or not they get displayed by your front end ( ACID, OpenAanval) is a whole different story. On Tue, 20 Jul 2004 13:04:09 -0500, Joshua Berry <jberry () penson com> wrote:I have had an issue for some time where I will get alerts such as"DDOS- TFN client command LE" which revolves around the ICMP ID, ICMP Sequence, and Type. However, the ICMP ID and Sequence is NEVERenteredinto the database, just the Type and Code. Has anyone else
noticed
this? Josh Berry, CISSP & MCSE Information Security 214-765-1296
--------------------------------------------------------------------
If you spend more on coffee than on IT security, you will be
hacked.
What's more, you deserve to be hacked. -- (Former) White House Cybersecurity adviser Richard Clarke ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21&alloc_id040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21&alloc_id040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP DB Issues Joshua Berry (Jul 20)
- Re: ICMP DB Issues sekure (Jul 20)
- <Possible follow-ups>
- RE: ICMP DB Issues Joshua Berry (Jul 20)
- Re: ICMP DB Issues sekure (Jul 20)
- RE: ICMP DB Issues Joshua Berry (Jul 20)
- RE: ICMP DB Issues Joshua Berry (Jul 20)