Re: Snort and Barnyard2

[Y M <snort () outlook com>]

Yes it can be done. Try the following query: 
 SELECT 
               signature.sig_name AS 'Signature Name', 
               event.timestamp AS 'Timestamp',
               INET_NTOA(iphdr.ip_src) AS 'Source IP',
               INET_NTOA(iphdr.ip_dst) AS 'Destination IP',
               sig_class.sig_class_name AS 'Signature Class'
FROM 
              signature LEFT JOIN event ON (signature.sig_id=event.signature)
              LEFT JOIN sig_class ON (signature.sig_class_id=sig_class.sig_class_id)
              LEFT JOIN iphdr ON (event.cid=iphdr.cid)
WHERE               signature.sig_sid=<xxx>;  In this case, you would replace the "<xxx>" with your own signature sid 
that you are looking for. You can get rid of the WHERE clause to perform the same behavior on all the data, but that 
would be an overkill to your db server depending on the amount of data you have.  Perhaps not the most efficient query, 
but it will return data and columns in the following format: Signature Name, Timestamp, Source IP, Destination IP, 
Signature Class Please note that these are fancy formatting (the "AS 'Your favorite column name'" part in the query) of 
the column names for easier reading. Beenph, jump in if I am doing something wrong in my query here :) YM> From: jbitto 
() onlineschool ca
> To: beenph () gmail com; snort () outlook com
> CC: snort-users () lists sourceforge net; barnyard2-users () googlegroups com
> Date: Wed, 6 Feb 2013 13:21:41 -0800
> Subject: RE: [Snort-users] Snort and Barnyard2
>
> Ok so if I wanted to run a query where I wanted the src and dst IP plus view event and signature tables as 
> well....Can that be done?
>
> Also....would running these query's have the data line up with the actual date and times that the event actually 
> occurred?
>
>
>
> -----Original Message-----
> From: beenph [mailto:beenph () gmail com] 
> Sent: Wednesday, February 06, 2013 12:31 PM
> To: Y M
> Cc: Josh Bitto; snort-users () lists sourceforge net; barnyard2-users () googlegroups com
> Subject: Re: [Snort-users] Snort and Barnyard2
>
> On Wed, Feb 6, 2013 at 2:43 PM, Y M <snort () outlook com> wrote:
> > Sorry for not detailing my reply. For  example try querying snort 
> > database
> > with:
> >
> > SELECT ip_src, INET_NTOA(ip_src)
> > FROM acid_event;
>
> IP src/dst data in the default schema is not stored in the acid_event table but the iphdr table.
>
> So a query could look like this:
>
> Assuming mysql:
>
> SELECT INET_NTOA(ip_src),INET_NTOA(ip_dst) FROM iphdr WHERE sid="XXX"
> AND cid="XXX";
>
> > From: Josh Bitto
> > Sent: 2/6/2013 10:05 PM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Snort and Barnyard2
> >
> > Has anyone else had this issue come up where when you export the data 
> > from your database the IP's listed do not correspond with the actual 
> > IP addresses that have been captured when an event happens?
>
> Now, i am not sure i understand what Josh Bitto mean by "the store IP are not the same as the captured IP".
> barnyard2 will store whats found in the unified2 file, did you validate the content of your unified2 file using 
> u2spewfoo or u2boat to export contained packets to pcap file and compare that information?
>
> -elz

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!