RE: [Snort-users] Come hither payload--->>>Fixed

My sensor table got whacked somehow. The encoding field values were all =
NULL. They needed to be set to 0,or 1, or 2 based upon type of =
encoding. All fixed.

Just an FYI for anyone that may encounter the same problem.

-----Original Message-----
From: snort-users-admin@lists.sourceforge.net =
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Gould, =
Scott
Sent: Friday, May 21, 2004 1:27 AM
To: Gould, Scott; snort-users@lists.sourceforge.net
Subject: RE: [Snort-users] Come hither payload

One other note to add, queries via ACID against payload data return =
successfully, but still not showing any displayed payload data in the =
web page

I'm stumped

-----Original Message-----
From: snort-users-admin@lists.sourceforge.net =
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Gould, =
Scott
Sent: Friday, May 21, 2004 1:17 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Come hither payload

OK, here's the deal:

RH EL 3 Update 1

Snort 2.1.2
Using unified_log=20
Acid (latest)
Barnyard 0.2
Processing *.log.<stamp> files with no problems

Apache 2.0.49
PHP 4.3.3


Everything working like a champ except the payloads don't show up in
ACID.

Result of grep against ACID install directory for data_payload:

acid_action.inc: $sql =3D "SELECT data_payload FROM data WHERE
sid=3D'$sid' AND cid=3D'$cid'";
acid_action.inc: $sql =3D "INSERT INTO data (sid,cid, data_payload)
VALUES ".
acid_common.php: $sql2 =3D "SELECT data_payload FROM data WHERE
sid=3D'".$sid."' AND cid=3D'".$cid."'";
acid_qry_alert.php: $sql2 =3D "SELECT data_payload FROM data WHERE
sid=3D'".$sid."' AND cid=3D'".$cid."'";
acid_qry_common.php: $tmp =3D $field[$i][0]." data_payload
".$field[$i][1]." '%".FormatPayload($field[$i][2], $data_encode).

So, the queries are in the ACID code.

I have confirmed the existence of the payload info in the mysqldb
existence via direct queries against the mysql db as the same user that
ACID uses to access the db, using mysql tols. =20

There is no doubt that the Table "data" is populated with data in the
fields sid, cid, and data_payload

Data is flowing AOK from snort->unified log file->barnyard->mysqldb

Yet ACID doesn't show a payload for anything.


Any ideas?




-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. =

Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149&alloc_id=8166&op=3Dick
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=3Dort-users




-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. =

Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149&alloc_id=8166&op=3Dick
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=3Dort-users




-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users