OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [Snort-users] Snort+MySql=OK. But why...
From: Martin Roesch (roeschmd.prestige.net)
Date: Sun Nov 26 2000 - 23:12:42 CST

No state == very fast. :) TCP stream reassembly is available in the latest
betas, but I don't think we log in terms of client->server or vice versa yet.
This is something that probably wouldn't take too long to implement...

    -Marty

Nathan Spande wrote:
>
> This is something that has tricked us in the past as well. Basically, the
> problem is that snort doesn't know who OPENED the TCP connection, it just
> know what the IP packet has as a source and a dest. So if the rule matches
> on the response, then the log will show the source as what you would think
> of as the dest, and the dest as what you would think of as the source. One
> of the only things that really bugs me about snort. Of course, probably as
> a result of this, you can get some very impressive performance out of it :)
>
> Nathan
>
> -----Original Message-----
> From: Johan.Augustsson [mailto:Johan.Augustssonadm.gu.se]
> Sent: Tuesday, November 21, 2000 8:58 AM
> To: snort-userslists.sourceforge.net
> Subject: [Snort-users] Snort+MySql=OK. But why...
>
> I'm tired and confused, I might also be stupid but I can't figure out one
> thing here.
>
> I'm running Snort 1.6.3 and stores the log into a MySQL database, the very
> same that you could do with the database-plugin. And it works. It works
> very well and all the things I want into the database is stored there. But
> it seams to me like Snort sometimes is puting some of the data in wrong
> fields. If the host 1.2.3.4 tries to telnet my box (6.7.8.9) Snort stores
> 1.2.3.4 in ip_dest0-3 and 6.7.8.9 in ip_src0-3 and port 23 is stored in
> th_sport in tcphdr. As I said, I might be a major airhead here but as I see
> it the contacting host is the source and 1.2.3.4 should end up in
> ip_src0-3. I could have bought this and just keept going if it wasn't for
> that it sometimes logs source-addresses as ip_src0-3.
>
> If some host sends me an echo-request (ping), Snort will log the hosts
> ip-address as ip_src0-1 and my box as ip_dst0-3
> Two scenarios where traffic is sent to me but in one case Snort logs the
> source as ip_dst0-3 and in the other case as ip_src0-3.
>
> Ok... Can it has to do with the fact that it's two different protocolls,
> TCP and ICMP?
> Nope. I got a SCAN-SYN FIN (port 111-111) followed by a RPC-query (111-894)
> and how did Snort log this then...?
> The host who did the scan was registred as ip_src0-3 and my box as
> ip_dst0-3 just the way I want it.
>
> But both telnet- and ftp-connections are loged the oposit way.
> Why...?
>
> /Johan
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users 

-- 
Martin Roesch
roeschmd.prestige.net
http://www.snort.org
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users