From: Bruno G. San Alejo <bgonzalez@po...> - 2009-02-20 10:24:51
Hi everyone, I'm a newbie with Snort and Base. I have some ICMP
redirect packets that, once I convert the payload to pcap and watch in
Wireshark, have the gateway's IP different than the one that Base shows.
Here is the deal: Base gets the gateway with:
$gateway = hexdec($work[16+$offset].$work[17+$offset]).".".
"work" here is the payload that Base gets from the DB in the table
"data" from the field "data_payload". And the problem is that I don't
know how Snort is logging the packet into the DB.
At the end, the problem is that the gateway's IP is different in the
packet (with Wireshark) and in the info Base displays, and I would like
to know whether I'm missing out someting or this is a known "feature"
(google is not showing much about this issue).
I have seen the code for Base and the DB scheme, and the whole
problem at the code level is that I just don't know how the info is put
into the DB by Snort. I'm looking into that, but it's gonna take me a
while till I figure out how that thing works.
Get latest updates about Open Source Projects, Conferences and News.