Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Third Party Tools » TCP options missing from barnyard output

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

TCP options missing from barnyard output


Posted by tag on March 17, 2005 12:55:12

I came across this while benchmark testing a new configuration. Old - FreeBSD 5.2.1, snort 2.2.0, snort native mysql output. New - Fedora 3, snort 2.3.2 Barnyard 0.2.0 -> mysql. I configured an identical monitor port on the switch for both systems and have been watching the results from both to compare reliability and accuracy.

Snort and barnyard are working as expected (I do get full packet decodes) however, when viewing alerts in either acid or base the TCP options do not show up in packets . . .

Old system's alert:

#(10 - 466) [2005-03-17 15:17:23] [arachNIDS/30] [snort/1228] SCAN nmap XMAS
IPv4: a.b.c.d -> w.x.y.z
hlen=5 TOS=0 dlen=60 ID=23388 flags=0 offset=0 TTL=45 chksum=14903
TCP: port=43421 -> dport: 20 flags=**U*P**F seq=1983509359
ack=0 off=10 res=0 win=1024 urp=0 chksum=47497
Options:
#1 - WS len=1 data=0A
#2 - NOP len=0
#3 - MSS len=2 data=0109
#4 - TS len=8 data=3F3F3F3F00000000
#5 - EOL len=0
Payload: none

New system's alert:

#(34 - 8) [2005-03-17 15:17:21] [arachNIDS/30] [snort/1228] SCAN nmap XMAS
IPv4: a.b.c.d -> w.x.y.z
hlen=5 TOS=0 dlen=60 ID=23388 flags=0 offset=0 TTL=45 chksum=14903
TCP: port=43421 -> dport: 20 flags=**U*P**F seq=1983509359
ack=0 off=10 res=0 win=1024 urp=0 chksum=47497
Payload: none

Anyone else seen this?

Posted by flyguy on April 27, 2005 23:52:33

Well i have the same prob .. Only unified alert files contain all that info! and it seems barnyard can only process unified log files. Well i hope someome cam explain this.

Posted by flyguy on May 04, 2005 11:17:26

Oopps made a mistake in my previous post ...Only Unified Log Record contains complete packet info including alert data. Still TCP options missing! i guess unified records don't include those TCP data!

site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.