Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Logging to DB it's done differently than to a file.

From: "Bruno G. San Alejo" <bgonzalez () polar es>
Date: Wed, 04 Mar 2009 15:14:26 +0100
Hi, I have found how Snort logs to a file and to the DB and maybe it's
the cause of why I seem to have ICMP redirect packages with the wrong
gateway's IP.

    To make a really long story short, when logging to a file Snort uses
the pcap_dump() function than (if I'm not mistaken) logs the packet as
it gets it from Snort. When logging to the DB, the ICMP packet gets
parsed and the insert is as follows in the Database() func:

ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH,
                                            "INSERT INTO "
                                            "icmphdr (sid, cid,
icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) "
                                            "VALUES (%u,%u,%u,%u,%u,%u,%u)",
                                            data->shared->sid,
data->shared->cid, p->icmph->type,
                                            p->icmph->code,
ntohs(p->icmph->csum),
                                            ntohs(p->icmph->s_icmp_id),
ntohs(p->icmph->s_icmp_seq));

Note the references to p->icmph->s_icmp_seq and p->icmph->s_icmp_id.
Now, ICMP redirect packets don't have those fields, they have the
gateway's IP instead.

    Since the packets are not "decoded" but the actual packet is laid
over the Packet struct which contains unions, those fields have data,
though not valid one. Maybe the IP for the gateway is there.

    The result is that when I see the Snort logged packets in pcap
format, they are correct, but the ones seen through BASE or saved to
pcap through BASE, are not. The ones shown through BASE have wrong
gateway's IPs. Also, BASE gets the gateway's IP from someplace else
which I think is not the IP. So, that is an issue also.

    I'm sorry to be a pain in the neck with this issue but I would like
someone to correct me or maybe there is something to be solved in here.

    Thanks.


------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: