[Snort-users] snort doesn't write to mysql

permalink · #1 (**permalink**) 03-01-2004

This is a multi-part message in MIME format.

------_=_NextPart_001_01C3FF9D.37068D0A
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hello.

I'm a newbie, but have checked the FAQs, done lots of searching, asked =
other linux-knowledgeable people, and I still can't figure this out. =
I've likely done something stupid - can anyone help me find it?

I'm running snort 2.1.0-2 on RedHat 9, with mysql, apache, php and acid. =
I have configured the output database line in snort.conf to point to the =
mysql database, but I see no sign that snort is even attempting to =
connect to the database. snort and snort-mysql are installed from the =
binary rpms available from snort.org;=20

[root@fsf052 snort]# rpm -qa |grep snort=20

snort-mysql-2.1.0-2=20

snort-2.1.0-2

snort appears to be using snort.conf;

ps -ef |grep snort

snort 3849 1 0 16:15 ? 00:00:00 /usr/sbin/snort -A fast -b -d -D -i eth0 =
-u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

However, I added "output log_tcpdump: tcpdump.log" to the snort.conf and =
found no tcpdump.log when I restarted the service and ran the scanner =
against it. Just to be sure, I created the empty file, gave the snort =
user pemissions on it, restarted the service, and ran the scanner again =
- the file remained empty. Does this mean the output settings in =
snort.conf are being overridden or ignored?

It is running snort-mysql;

ls -l /usr/sbin |grep snort

lrwxrwxrwx 1 root root 21 Feb 20 10:37 snort -> /usr/sbin/snort-mysql

-rwxr-xr-x 1 root root 478797 Dec 20 05:22 snort-mysql

-rwxr-xr-x 1 root root 478268 Dec 20 05:28 snort-plain

Does anyone know how this version was compiled? Do I have to have the =
database in a specific location?

Thanks in advance for any help,

Pam

I'm including my scripts and config files, basically all default, sorry =
for the length of the e-mail, I've removed a lot of the commented stuff =
and examples to make it shorter. Note, my e-mail client is causing stuff =
to wrap - there are no carriage returns: =
__________________________________________________ _______________________=

/etc/init.d/snortd

#!/bin/sh

# $Id: snortd,v 1.17 2003/12/20 09:25:37 dwittenb Exp $

#

# snortd Start/Stop the snort IDS daemon.

#

# chkconfig: 2345 40 60

# description: snort is a lightweight network intrusion detection tool =
that \

# currently detects more than 1100 host and network \

# vulnerabilities, portscans, backdoors, and more.

#

# Source function library.

.. /etc/rc.d/init.d/functions

# Source the local configuration file

.. /etc/sysconfig/snort

# Convert the /etc/sysconfig/snort settings to something snort can # use =
on the startup line. if [ "$ALERTMODE"X =3D "X" ]; then

ALERTMODE=3D""

else

ALERTMODE=3D"-A $ALERTMODE"

fi

if [ "$USER"X =3D "X" ]; then

USER=3D"snort"

fi

if [ "$GROUP"X =3D "X" ]; then

GROUP=3D"snort"

fi

if [ "$BINARY_LOG"X =3D "1X" ]; then

BINARY_LOG=3D"-b"

else

BINARY_LOG=3D""

fi

if [ "$CONF"X =3D "X" ]; then

CONF=3D"-c /etc/snort/snort.conf"

else

CONF=3D"-c $CONF"

fi

if [ "$INTERFACE"X =3D "X" ]; then

INTERFACE=3D"-i eth0"

else=20

INTERFACE=3D"-i $INTERFACE"

fi

if [ "$DUMP_APP"X =3D "1X" ]; then

DUMP_APP=3D"-d"

else

DUMP_APP=3D""

fi=20

if [ "$NO_PACKET_LOG"X =3D "1X" ]; then

NO_PACKET_LOG=3D"-N"

else

NO_PACKET_LOG=3D""

fi=20

if [ "$PRINT_INTERFACE"X =3D "1X" ]; then

PRINT_INTERFACE=3D"-I"

else

PRINT_INTERFACE=3D""

fi

if [ "$PASS_FIRST"X =3D "1X" ]; then

PASS_FIRST=3D"-o"

else

PASS_FIRST=3D""

fi

if [ "$LOGDIR"X =3D "X" ]; then

LOGDIR=3D/var/log/snort

fi

=20

######################################

# Now to the real heart of the matter:

# See how we were called.

case "$1" in

start)

echo -n "Starting snort: "

cd $LOGDIR

if [ "$INTERFACE" =3D "-i ALL" ]; then

for i in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed s/"\/"//g`

do

mkdir -p "$LOGDIR/$i"

chown -R snort:snort $LOGDIR

daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP =
-D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i =
$PASS_FIRST

done

else

daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP =
-D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR =
$PASS_FIRST

fi

touch /var/lock/subsys/snort

echo

;;

stop)

echo -n "Stopping snort: "

killproc snort

rm -f /var/lock/subsys/snort

echo=20

;;

reload)

echo "Sorry, not implemented yet"

;;

restart)

$0 stop

$0 start

;;

condrestart)

[ -e /var/lock/subsys/snort ] && /etc/init.d/snortd restart

;;

status)

status snort

;;

*)

echo "Usage: $0 {start|stop|reload|restart|condrestart|status}"

exit 2

esac

exit 0

=20

__________________________________________________ _______________________=
__

/etc/sysconfig/snort

# /etc/sysconfig/snort

# $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $

=20

#### General Configuration

INTERFACE=3Deth0

CONF=3D/etc/snort/snort.conf

USER=3Dsnort

GROUP=3Dsnort

PASS_FIRST=3D0

#### Logging & Alerting

LOGDIR=3D/var/log/snort

ALERTMODE=3Dfast

DUMP_APP=3D1

BINARY_LOG=3D1

NO_PACKET_LOG=3D0

PRINT_INTERFACE=3D0

=20

__________________________________________________ ______________

/etc/snort/snort.conf (password/IP obscured)

#--------------------------------------------------

# http://www.snort.org <http://www.snort.org/> Snort 2.1.0 Ruleset

# Contact: snort-sigs@lists.sourceforge.net

#--------------------------------------------------

# $Id: snort.conf,v 1.133 2003/12/18 17:05:07 cazz Exp $

#

var HOME_NET x.x.x.0/xx

# Set up the external network addresses as well. A good start may be =
"any" var EXTERNAL_NET any

# List of DNS servers on your network=20

var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network

var SMTP_SERVERS $HOME_NET

# List of web servers on your network

var HTTP_SERVERS $HOME_NET

# List of sql servers on your network=20

var SQL_SERVERS $HOME_NET

# List of telnet servers on your network

var TELNET_SERVERS $HOME_NET

# List of snmp servers on your network

var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.

var SHELLCODE_PORTS !80

# Ports you do oracle attacks on

var ORACLE_PORTS 1521

# other variables

var AIM_SERVERS =
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,6=
4.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

# Path to your rules files (this can be a relative path)

var RULE_PATH /etc/snort/rules

preprocessor frag2

# stream4: stateful inspection/stream reassembly for Snort

#----------------------------------------------------------------------

preprocessor stream4: disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \

iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \

profile all \

ports { 80 8080 }

# rpc_decode: normalize RPC traffic

# ---------------------------------

preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector

preprocessor bo

# telnet_decode: Telnet negotiation string normalizer

preprocessor telnet_decode

################################################## ##################

# Step #3: Configure output plugins

#

output database: log, mysql, user=3Dsnort password=3D******** =
dbname=3Dsnort host=3Dlocalhost

include classification.config

include reference.config

################################################## ##################

# Step #4: Customize your rule set

include $RULE_PATH/local.rules

include $RULE_PATH/bad-traffic.rules

include $RULE_PATH/exploit.rules

include $RULE_PATH/scan.rules

include $RULE_PATH/finger.rules

include $RULE_PATH/ftp.rules

include $RULE_PATH/telnet.rules

include $RULE_PATH/rpc.rules

include $RULE_PATH/rservices.rules

include $RULE_PATH/dos.rules

include $RULE_PATH/ddos.rules

include $RULE_PATH/dns.rules

include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules

include $RULE_PATH/web-coldfusion.rules

include $RULE_PATH/web-iis.rules

include $RULE_PATH/web-frontpage.rules

include $RULE_PATH/web-misc.rules

include $RULE_PATH/web-client.rules

include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules

include $RULE_PATH/x11.rules

include $RULE_PATH/icmp.rules

include $RULE_PATH/netbios.rules

include $RULE_PATH/misc.rules

include $RULE_PATH/attack-responses.rules

include $RULE_PATH/oracle.rules

include $RULE_PATH/mysql.rules

include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules

include $RULE_PATH/imap.rules

include $RULE_PATH/pop2.rules

include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules

include $RULE_PATH/other-ids.rules

include $RULE_PATH/experimental.rules

# Include any thresholding or suppression commands

include threshold.conf

------_=_NextPart_001_01C3FF9D.37068D0A
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML =
DIR=3Dltr><HEAD><META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1"></HEAD><BODY><DIV>=0A=
Hello.=0A=
I'm a newbie, but have checked the FAQs, done lots of searching, =
asked other =0A=
linux-knowledgeable people, and I still can't figure this out. I've =
likely done =0A=
something stupid - can anyone help me find it?=0A=
I'm running snort 2.1.0-2 on RedHat 9, with mysql, apache, php and =
acid. I =0A=
have configured the output database line in snort.conf to point to the =
mysql =0A=
database, but I see no sign that snort is even attempting to connect to =
the =0A=
database. snort and snort-mysql are installed from the binary rpms =
available =0A=
from snort.org; =0A=
[root@fsf052 snort]# rpm -qa |grep snort =0A=
snort-mysql-2.1.0-2 =0A=
snort-2.1.0-2=0A=
snort appears to be using snort.conf;=0A=
ps -ef |grep snort=0A=
snort 3849 1 0 16:15 ? 00:00:00 /usr/sbin/snort -A fast -b -d -D -i =
eth0 -u =0A=
snort -g snort -c /etc/snort/snort.conf -l /var/log/snort=0A=
However, I added "output log_tcpdump: tcpdump.log" to the snort.conf =
and =0A=
found no tcpdump.log when I restarted the service and ran the scanner =
against =0A=
it. Just to be sure, I created the empty file, gave the snort user =
pemissions on =0A=
it, restarted the service, and ran the scanner again - the file remained =
empty. =0A=
Does this mean the output settings in snort.conf are being overridden or =0A=
ignored?=0A=
It is running snort-mysql;=0A=
ls -l /usr/sbin |grep snort=0A=
lrwxrwxrwx 1 root root 21 Feb 20 10:37 snort -> =
/usr/sbin/snort-mysql=0A=
-rwxr-xr-x 1 root root 478797 Dec 20 05:22 snort-mysql=0A=
-rwxr-xr-x 1 root root 478268 Dec 20 05:28 snort-plain=0A=
Does anyone know how this version was compiled? Do I have to have the =0A=
database in a specific location?=0A=
Thanks in advance for any help,=0A=
Pam=0A=
I'm including my scripts and config files, basically all default, =
sorry for =0A=
the length of the e-mail, I've removed a lot of the commented stuff and =
examples =0A=
to make it shorter. Note, my e-mail client is causing stuff to wrap - =
there are =0A=
no carriage returns: =0A=
__________________________________________________ _______________________=
=0A=
/etc/init.d/snortd=0A=
#!/bin/sh=0A=
# $Id: snortd,v 1.17 2003/12/20 09:25:37 dwittenb Exp $=0A=
#=0A=
# snortd Start/Stop the snort IDS daemon.=0A=
#=0A=
# chkconfig: 2345 40 60=0A=
# description: snort is a lightweight network intrusion detection =
tool that =0A=
\=0A=
# currently detects more than 1100 host and network \=0A=
# vulnerabilities, portscans, backdoors, and more.=0A=
#=0A=
# Source function library.=0A=
. /etc/rc.d/init.d/functions=0A=
# Source the local configuration file=0A=
. /etc/sysconfig/snort=0A=
# Convert the /etc/sysconfig/snort settings to something snort can # =
use on =0A=
the startup line. if [ "$ALERTMODE"X =3D "X" ]; then=0A=
ALERTMODE=3D""=0A=
else=0A=
ALERTMODE=3D"-A $ALERTMODE"=0A=
fi=0A=
if [ "$USER"X =3D "X" ]; then=0A=
USER=3D"snort"=0A=
fi=0A=
if [ "$GROUP"X =3D "X" ]; then=0A=
GROUP=3D"snort"=0A=
fi=0A=
if [ "$BINARY_LOG"X =3D "1X" ]; then=0A=
BINARY_LOG=3D"-b"=0A=
else=0A=
BINARY_LOG=3D""=0A=
fi=0A=
if [ "$CONF"X =3D "X" ]; then=0A=
CONF=3D"-c /etc/snort/snort.conf"=0A=
else=0A=
CONF=3D"-c $CONF"=0A=
fi=0A=
if [ "$INTERFACE"X =3D "X" ]; then=0A=
INTERFACE=3D"-i eth0"=0A=
else =0A=
INTERFACE=3D"-i $INTERFACE"=0A=
fi=0A=
if [ "$DUMP_APP"X =3D "1X" ]; then=0A=
DUMP_APP=3D"-d"=0A=
else=0A=
DUMP_APP=3D""=0A=
fi =0A=
if [ "$NO_PACKET_LOG"X =3D "1X" ]; then=0A=
NO_PACKET_LOG=3D"-N"=0A=
else=0A=
NO_PACKET_LOG=3D""=0A=
fi =0A=
if [ "$PRINT_INTERFACE"X =3D "1X" ]; then=0A=
PRINT_INTERFACE=3D"-I"=0A=
else=0A=
PRINT_INTERFACE=3D""=0A=
fi=0A=
if [ "$PASS_FIRST"X =3D "1X" ]; then=0A=
PASS_FIRST=3D"-o"=0A=
else=0A=
PASS_FIRST=3D""=0A=
fi=0A=
if [ "$LOGDIR"X =3D "X" ]; then=0A=
LOGDIR=3D/var/log/snort=0A=
fi=0A=
 =0A=
######################################=0A=
# Now to the real heart of the matter:=0A=
# See how we were called.=0A=
case "$1" in=0A=
start)=0A=
echo -n "Starting snort: "=0A=
cd $LOGDIR=0A=
if [ "$INTERFACE" =3D "-i ALL" ]; then=0A=
for i in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed s/"\/"//g`=0A=
do=0A=
mkdir -p "$LOGDIR/$i"=0A=
chown -R snort:snort $LOGDIR=0A=
daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG =
$DUMP_APP -D =0A=
$PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i =
$PASS_FIRST=0A=
done=0A=
else=0A=
daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG =
$DUMP_APP -D =0A=
$PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR =
$PASS_FIRST=0A=
fi=0A=
touch /var/lock/subsys/snort=0A=
echo=0A=
;;=0A=
stop)=0A=
echo -n "Stopping snort: "=0A=
killproc snort=0A=
rm -f /var/lock/subsys/snort=0A=
echo =0A=
;;=0A=
reload)=0A=
echo "Sorry, not implemented yet"=0A=
;;=0A=
restart)=0A=
$0 stop=0A=
$0 start=0A=
;;=0A=
condrestart)=0A=
[ -e /var/lock/subsys/snort ] && /etc/init.d/snortd =
restart=0A=
;;=0A=
status)=0A=
status snort=0A=
;;=0A=
*)=0A=
echo "Usage: $0 {start|stop|reload|restart|condrestart|status}"=0A=
exit 2=0A=
esac=0A=
exit 0=0A=
 =0A=
_______________________________________________ _______________________=
_____=0A=
/etc/sysconfig/snort=0A=
# /etc/sysconfig/snort=0A=
# $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $=0A=
 =0A=
#### General Configuration=0A=
INTERFACE=3Deth0=0A=
CONF=3D/etc/snort/snort.conf=0A=
USER=3Dsnort=0A=
GROUP=3Dsnort=0A=
PASS_FIRST=3D0=0A=
#### Logging & Alerting=0A=
LOGDIR=3D/var/log/snort=0A=
ALERTMODE=3Dfast=0A=
DUMP_APP=3D1=0A=
BINARY_LOG=3D1=0A=
NO_PACKET_LOG=3D0=0A=
PRINT_INTERFACE=3D0=0A=
 =0A=
_______________________________________________ _________________=0A=
/etc/snort/snort.conf (password/IP obscured)=0A=
#--------------------------------------------------=0A=
# <A href=3D"http://www.snort.org/">http://www.snort.org</A> Snort 2.1.0 =
Ruleset=0A=
# Contact: snort-sigs@lists.sourceforge.net=0A=
#--------------------------------------------------=0A=
# $Id: snort.conf,v 1.133 2003/12/18 17:05:07 cazz Exp $=0A=
#=0A=
var HOME_NET x.x.x.0/xx=0A=
# Set up the external network addresses as well. A good start may be =
"any" =0A=
var EXTERNAL_NET any=0A=
# List of DNS servers on your network =0A=
var DNS_SERVERS $HOME_NET=0A=
# List of SMTP servers on your network=0A=
var SMTP_SERVERS $HOME_NET=0A=
# List of web servers on your network=0A=
var HTTP_SERVERS $HOME_NET=0A=
# List of sql servers on your network =0A=
var SQL_SERVERS $HOME_NET=0A=
# List of telnet servers on your network=0A=
var TELNET_SERVERS $HOME_NET=0A=
# List of snmp servers on your network=0A=
var SNMP_SERVERS $HOME_NET=0A=
var HTTP_PORTS 80=0A=
# Ports you want to look for SHELLCODE on.=0A=
var SHELLCODE_PORTS !80=0A=
# Ports you do oracle attacks on=0A=
var ORACLE_PORTS 1521=0A=
# other variables=0A=
var AIM_SERVERS =0A=
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,6=
4.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]=0A=
# Path to your rules files (this can be a relative path)=0A=
var RULE_PATH /etc/snort/rules=0A=
preprocessor frag2=0A=
# stream4: stateful inspection/stream reassembly for Snort=0A=
#---------------------------------------------------------------------=
-=0A=
preprocessor stream4: disable_evasion_alerts=0A=
preprocessor stream4_reassemble=0A=
preprocessor http_inspect: global \=0A=
iis_unicode_map unicode.map 1252=0A=
preprocessor http_inspect_server: server default \=0A=
profile all \=0A=
ports { 80 8080 }=0A=
# rpc_decode: normalize RPC traffic=0A=
# ---------------------------------=0A=
preprocessor rpc_decode: 111 32771=0A=
# bo: Back Orifice detector=0A=
preprocessor bo=0A=
# telnet_decode: Telnet negotiation string normalizer=0A=
preprocessor telnet_decode=0A=
############################################### #####################</=
P>=0A=
# Step #3: Configure output plugins=0A=
#=0A=
output database: log, mysql, user=3Dsnort password=3D******** =
dbname=3Dsnort =0A=
host=3Dlocalhost=0A=
include classification.config=0A=
include reference.config=0A=
############################################### #####################</=
P>=0A=
# Step #4: Customize your rule set=0A=
include $RULE_PATH/local.rules=0A=
include $RULE_PATH/bad-traffic.rules=0A=
include $RULE_PATH/exploit.rules=0A=
include $RULE_PATH/scan.rules=0A=
include $RULE_PATH/finger.rules=0A=
include $RULE_PATH/ftp.rules=0A=
include $RULE_PATH/telnet.rules=0A=
include $RULE_PATH/rpc.rules=0A=
include $RULE_PATH/rservices.rules=0A=
include $RULE_PATH/dos.rules=0A=
include $RULE_PATH/ddos.rules=0A=
include $RULE_PATH/dns.rules=0A=
include $RULE_PATH/tftp.rules=0A=
include $RULE_PATH/web-cgi.rules=0A=
include $RULE_PATH/web-coldfusion.rules=0A=
include $RULE_PATH/web-iis.rules=0A=
include $RULE_PATH/web-frontpage.rules=0A=
include $RULE_PATH/web-misc.rules=0A=
include $RULE_PATH/web-client.rules=0A=
include $RULE_PATH/web-php.rules=0A=
include $RULE_PATH/sql.rules=0A=
include $RULE_PATH/x11.rules=0A=
include $RULE_PATH/icmp.rules=0A=
include $RULE_PATH/netbios.rules=0A=
include $RULE_PATH/misc.rules=0A=
include $RULE_PATH/attack-responses.rules=0A=
include $RULE_PATH/oracle.rules=0A=
include $RULE_PATH/mysql.rules=0A=
include $RULE_PATH/snmp.rules=0A=
include $RULE_PATH/smtp.rules=0A=
include $RULE_PATH/imap.rules=0A=
include $RULE_PATH/pop2.rules=0A=
include $RULE_PATH/pop3.rules=0A=
include $RULE_PATH/nntp.rules=0A=
include $RULE_PATH/other-ids.rules=0A=
include $RULE_PATH/experimental.rules=0A=
# Include any thresholding or suppression commands=0A=
include threshold.conf</DIV></BODY></HTML>
------_=_NextPart_001_01C3FF9D.37068D0A--

-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode