Snort mailing list archives

Re: Discrepency between Base and linked packet

From: "Bruno G. San Alejo" <bgonzalez () polar es>
Date: Tue, 24 Mar 2009 14:25:01 +0100

    OK, my fault then, I just run Snort and Base. Snort is configured
with MySql support and Base just goes into the DB. Sorry, I just
installed them a couple of months ago and followed the "Managing
Security with Snort and IDS tools" book and the typical "how-to" web
pages. I guess I need to do more homework. :)

    Then, given that Snort logs right the packets and that a external
tool gets the log file and puts it into the DB (I had and have no idea
about this, I won't BS you), the DB schema is not quite right anyway. It
has two fields (id and seq#) for ALL ICMP types. Particularly for ICMP
redirects, the gateway's IP is not represented anywhere in the DB schema.

    So, if I'm not wrong the root issue of this thread gets solved: use
an external tool to pass the Snort logs into the DB (as a matter of fact
the first thing I'll start doing as soon as I send this email). But for
everything to be peachy there is still the little issue of some
discrepancies between some ICMP types and what data is in the DB schema
representing them. I just don't see how even with an external tool, 
some data of  ICMP packets can be logged into the DB if the schema just
doesn't have those fields.

    Thanks.

   



Joel Esler wrote:

We'll need to know more about the setup.  BASE simply reads what is in
the DB.  If it's a parsing issue with BASE, reading out of the DB,
then Kevin can speak to that, however, if the problem lies in the data
that is actually in the DB, then I have to ask how it is getting in
there.

Generally Accepted Best Practice is to have Snort log in "unified"
mode, and have an external tool like barnyard or SnortUnified.pm read
the Unified files and put them into the DB.  

How is your setup configured?  (Writing from Snort directly to the DB
is never recommended.)

Joel

On Tue, Mar 24, 2009 at 8:44 AM, Bruno G. San Alejo
<bgonzalez () polar es <mailto:bgonzalez () polar es>> wrote:

       Hi everyone, I posted like 4 weeks ago something about some
    problems
    with what Snort logs, what Base shows, and what Base saves as pcap
    file.
    Maybe that is what you are talking about?

       What I saw was that the packet logged with Snort was the right one.
    The packet logged to the DB had some issues. These could be seen in:

       -what Base shows, for ICMP redirect packets (that was what I was
    focusing on) the id and the seq# were being logged instead of the
    gateway's IP, I submitted a temporary fix that takes care of it
    and I'm
    currently testing a fix for Snort and Base that will definitely take
    care of this if they are approved. The problem was the way that the
    packet was being parsed and the schema at the DB, which had fields
    that
    are not present in all the types of ICMP, but that are non null.

       -what Base saves in pcap, wrong MAC addresses and shorter
    timestamps. As you say, discrepancies at the Network, Transport, and
    Data layers. I have not look into this as I am working in the other
    issue, but if no one comments on this one, I'll dive into the code
    shortly.

       Thanks.

    Matthew Babcock wrote:
    > Hello all,
    >
    > A short time back I noticed someone was talking about an issue
    where the
    > packet downloaded via base had different headers then shown between
    > wireshark and base.
    >
    > The top layers are represented the same in Base and the .pcap.
    However the
    > bottom layers are not correct. The data in the Data Link and Network
    > layers is just wrong, the Transport layer also cites bad TCP
    Checksums.
    > Thanks in advance.
    >
    > What was the reason and fix?
    >
    > Also, is the mailing list archived somewhere?
    >
    >
    > Regards,
    > -- Matthew R. Babcock
    > CEO, Principal Consultant
    > A & R Technology Consulting - Providing solutions, not limitations -
    > MBabcock () AandRTech com
    > (508) 397-8280
    >
    >
    >
    >
    >
    ------------------------------------------------------------------------------
    > Apps built with the Adobe(R) Flex(R) framework and Flex
    Builder(TM) are
    > powering Web 2.0 with engaging, cross-platform capabilities.
    Quickly and
    > easily build your RIAs with Flex Builder, the Eclipse(TM)based
    development
    > software that enables intelligent coding and step-through debugging.
    > Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
    > _______________________________________________
    > Snort-users mailing list
    > Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    > Go to this URL to change user options or unsubscribe:
    > https://lists.sourceforge.net/lists/listinfo/snort-users
    > Snort-users list archive:
    > http://www.geocrawler.com/redir-sf.php3?list=snort-users
    >
    >


    ------------------------------------------------------------------------------
    Apps built with the Adobe(R) Flex(R) framework and Flex
    Builder(TM) are
    powering Web 2.0 with engaging, cross-platform capabilities.
    Quickly and
    easily build your RIAs with Flex Builder, the Eclipse(TM)based
    development
    software that enables intelligent coding and step-through debugging.
    Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users
    <https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>
    list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler () sourcefire com
<mailto:jesler () sourcefire com>
[m]



------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Discrepency between Base and linked packet Matthew Babcock (Mar 23)
- Re: Discrepency between Base and linked packet Bruno G. San Alejo (Mar 24)
  - Re: Discrepency between Base and linked packet Joel Esler (Mar 24)
    - Re: Discrepency between Base and linked packet Bruno G. San Alejo (Mar 24)
    - Re: Discrepency between Base and linked packet Joel Esler (Mar 24)
    - Re: Discrepency between Base and linked packet Matthew Babcock (Mar 24)
    - Re: Discrepency between Base and linked packet Joel Esler (Mar 24)