Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snorby Snort or Barnyard scrambles IPs

From: Jeremy Hoel <jthoel () gmail com>
Date: Mon, 31 Mar 2014 03:07:33 -0400
Start with the beginning.. does TCP dump always show the right IP, then
does the u2 files show the right IPs (and in syslog if you have that
output)?  sniff the traffic and see if BY2 is sending the right IP and then
check the db and ensure that it's being stored as the right IP.  I'm
thinking it might have something to do with how the DB is storing the IP,
but that's just a guess.

if you go through each of these spots it might help narrow down the
problem, and maybe in the end it's a snorby issue and you can bring it up
on that mailing list.. but it's a good idea to check the other bits first.


On Mon, Mar 31, 2014 at 2:57 AM, Ilja Schumacher
<ilja.schumacher () gmail com>wrote:



Hey fellows,

I have just finished setting up snort barnyard mysql pulledpork and snorby
in an ARM5 box.

Everything works very nice except that snorby shows totally scrambled IPS
for source and destination.

Example:
Real source 82.56.35.23
Real destination 192.168.1.13

Snorby shows:
Source 82.56.XX1.13
Destination 192.168.X35.23

X is 1 most of the time.

Setup is:
Internet. Firewall/NAT. LanportMirror. Snort.

Do you have a clue what may cause such strange behaviour?

Cheers
Ilja


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: