Making Snort Work with MySQL
173
The first command sends an ICMP echo packet with the don't fragment (DF) bit
set and thus triggers the second rule. The second command sends an ICMP packet with
Loose Source Record Routing (lsrr) option set, which triggers the first rule. Both of
these commands create alert messages. The alert messages are recorded in the database
as you can see in different tables. For example, the icmphdr table contains ICMP head
ers corresponding to these alert messages.
mysql> select * from icmphdr;
+ + + + + + + +
| sid | cid | icmp_type | icmp_code | icmp_csum | icmp_id | icmp_seq |
+ + + + + + + +
| 1 | 1 | 8 | 0 | 18780 | NULL | NULL |
| 1 | 2 | 0 | 0 | 20828 | NULL | NULL |
| 1 | 3 | 8 | 0 | 18524 | NULL | NULL |
+ + + + + + + +
3 rows in set (0.00 sec)
mysql>
In the output of the select command, different fields of the ICMP header are
present, including ICMP type and ICMP code. The signature table contains messages
and other options from these messages as shown below:
mysql> select * from signature;
+ + + + + +
+
| sig_id | sig_name | sig_class_id | sig_priority | sig_rev |
sig_sid |
+ + + + + +
+
| 1 | Dont Fragment bit set | 0 | NULL | NULL |
NULL |
| 2 | LSRR Options set | 0 | NULL | NULL |
NULL |
+ + + + + +
+
2 rows in set (0.00 sec)
mysql>
Note that the sig_name field in the signature table contains the same information
as you used in the msg part of the two Snort rules defined earlier. You can test other
tables as well. When you go to the next chapter and start using ACID, you will find out
that you don't need to use the command line mysql client anymore. ACID provides a
web interface that can be used to view and manage tables on a web browser.
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved