Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Missing events

From: sekure <sekure () gmail com>
Date: Wed, 30 Jun 2004 09:47:32 -0400
I appologize in advance for cross-posting to both snort-users and
barnyard-users lists. I am not really sure where the problem occurs,
so i feel like both groups can contribute here.

First a little background:  I am running Snort 2.1.3, logging in
unified format, using barnyard 0.2.0 to insert events into a remote
database.

The issue:  I am using OpenAanval as a GUI to view the events and on
the backend it uses it's own database and does some post processing
with the snort database.  Just for the hell of it I decided to dump
the count() of events in both tables and noticed that the snort
"event" table had a few more events than OpenAanval.  I initally
thought it was a problem with OpenAanval, but some research indicates
otherwise.

Just to give the approximate scale of the problem I am missing about
100 events out of 50K total logged.

I identified the missing events, and went back to the snort database
to look them up.  What I found is that even though an entry for an
event exists in the "event" table, no entry exists for the event in
either "iphdr", "tcphdr" or "data" tables.
One example of this behavior: Snort logged 7 attempts at http
directory traversal across 7 of my web servers.  7 rows are created in
the "event" table, but only 5 in the iphdr, tcphdr and data tables.

I went further back, to the original sensor and dumped the contents of
the pcap file snort outputs along with the unified log.  The pcap file
contains all 7 events.  I then reconfigured barnyard to output the
processed logs in pcap format and pointed it at the log in question. 
The created pcap also had 7 events, all identical to each other and to
the original pcap written by snort with the exception of expected
things like dest. IPs and Seq/Ack #s.  This indicates that Snort
correctly writes the unified log file.

So, somewhere in the process of writing these events to the database
barnyard loses some of the relevant information, and only inserts a
portion of the event.

Has anyone experienced anything like this?  Any suggestions of things to try?


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: