Snort mailing list archives

Re: Snort and Barnyard2

From: Y M <snort () outlook com>
Date: Wed, 6 Feb 2013 23:39:05 +0300

Yes you are right. The acid_event table gets created if/when using BASE and holds data aggregated for populating the 
base_query_main.php once requested. I wrote that sample query for simplicity and could mistakenly assumed that BASE is 
in use.

Thanks for pointing this out.

YM
________________________________
From: beenph<mailto:beenph () gmail com>
Sent: ‎2/‎6/‎2013 11:30 PM
To: Y M<mailto:snort () outlook com>
Cc: Josh Bitto<mailto:jbitto () onlineschool ca>; snort-users () lists sourceforge net<mailto:snort-users () lists 
sourceforge net>; barnyard2-users () googlegroups com<mailto:barnyard2-users () googlegroups com>
Subject: Re: [Snort-users] Snort and Barnyard2

On Wed, Feb 6, 2013 at 2:43 PM, Y M <snort () outlook com> wrote:

Sorry for not detailing my reply. For  example try querying snort database
with:

SELECT ip_src, INET_NTOA(ip_src)
FROM acid_event;


IP src/dst data in the default schema is not stored in the acid_event table but
the iphdr table.

So a query could look like this:

Assuming mysql:

SELECT INET_NTOA(ip_src),INET_NTOA(ip_dst) FROM iphdr WHERE sid="XXX"
AND cid="XXX";

From: Josh Bitto
Sent: 2/6/2013 10:05 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort and Barnyard2

Has anyone else had this issue come up where when you export the data from
your database the IP's listed do not correspond with the actual IP addresses
that have been captured when an event happens?


Now, i am not sure i understand what Josh Bitto mean by "the store IP
are not the same as the captured IP".
barnyard2 will store whats found in the unified2 file, did you
validate the content of your unified2 file
using u2spewfoo or u2boat to export contained packets to pcap file and
compare that information?

-elz

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Snort and Barnyard2, (continued)
- - - Re: Snort and Barnyard2 Josh Bitto (Feb 06)
    - Re: Snort and Barnyard2 Y M (Feb 06)
    - Re: Snort and Barnyard2 Y M (Feb 06)
    - Re: Snort and Barnyard2 Josh Bitto (Feb 07)
    - Re: Snort and Barnyard2 Josh Bitto (Feb 07)
    - Re: Snort and Barnyard2 beenph (Feb 07)
    - Re: Snort and Barnyard2 Josh Bitto (Feb 07)
    - Re: Snort and Barnyard2 Josh Bitto (Feb 07)
    - Re: Snort and Barnyard2 Josh Bitto (Feb 07)
  - Re: Snort and Barnyard2 Josh Bitto (Feb 06)
- Re: Snort and Barnyard2 Y M (Feb 06)