I have a Windows 2003 Server Standard machine setup with the latest (as of Dec 1) version of Snort, PHP, adodb, MS SQL, and BASE running on IIS6. Base only displays a maximum of 127.5 bytes of the payload. However, all the data gets added to the MS SQL database, but BASE only displays 127.5 max always. I have looked on the internet and found this:
"Looking at the database and the code, I see that the data field is 8000 characters. When the payload is printed out, depending on how it is encoded, it could be divided by 2. Since the longest payload I currently see is 127.5 and that is exactly half of 255, I'm assuming somewhere within the code the 8000 character data field is being stored in a 255 character storage data item. I'm still hunting for that but if anyone knows where that could be, please let me know. "
"We're in the processs of upgrading from ACID to BASE, and are experiencing exactly the same problem, but in BASE (not ACID) - payload display maxes out after 128 bytes, which makes inspecting triggered alarms nigh impossible.
When we check the contents of the database, the data is actually all there - it's just BASE that seems to be cutting off anything larger than 128 bytes. "
I really wanted to get snort to working 100% on a windows box. By the way, I am using MS SQL 2000. Does anybody have any ideas as to how I could get the full payload to display?
Log in to post a comment.