[Snort-users] snort doesn't write to mysql
This is a discussion on [Snort-users] snort doesn't write to mysql within the Snort forums, part of the System Security and Security Related category; Hello. I'm a newbie, but have checked the FAQs, done lots of searching, asked other linux-knowledgeable people, and ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-01-2004
|
|||
|
|||
[Snort-users] snort doesn't write to mysql
Hello.
I'm a newbie, but have checked the FAQs, done lots of searching, asked other linux-knowledgeable people, and I still can't figure this out. I've likely done something stupid - can anyone help me find it? I'm running snort 2.1.0-2 on RedHat 9, with mysql, apache, php and acid. I have configured the output database line in snort.conf to point to the mysql database, but I see no sign that snort is even attempting to connect to the database. snort and snort-mysql are installed from the binary rpms available from snort.org; [root@fsf052 snort]# rpm -qa |grep snort snort-mysql-2.1.0-2 snort-2.1.0-2 snort appears to be using snort.conf; ps -ef |grep snort snort 3849 1 0 16:15 ? 00:00:00 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort However, I added "output log_tcpdump: tcpdump.log" to the snort.conf and found no tcpdump.log when I restarted the service and ran the scanner against it. Just to be sure, I created the empty file, gave the snort user pemissions on it, restarted the service, and ran the scanner again - the file remained empty. Does this mean the output settings in snort.conf are being overridden or ignored? It is running snort-mysql; ls -l /usr/sbin |grep snort lrwxrwxrwx 1 root root 21 Feb 20 10:37 snort -> /usr/sbin/snort-mysql -rwxr-xr-x 1 root root 478797 Dec 20 05:22 snort-mysql -rwxr-xr-x 1 root root 478268 Dec 20 05:28 snort-plain Does anyone know how this version was compiled? Do I have to have the database in a specific location? Thanks in advance for any help, Pam I'm including my scripts and config files, basically all default, sorry for the length of the e-mail, I've removed a lot of the commented stuff and examples to make it shorter. Note, my e-mail client is causing stuff to wrap - there are no carriage returns: __________________________________________________ _______________________ /etc/init.d/snortd #!/bin/sh # $Id: snortd,v 1.17 2003/12/20 09:25:37 dwittenb Exp $ # # snortd Start/Stop the snort IDS daemon. # # chkconfig: 2345 40 60 # description: snort is a lightweight network intrusion detection tool that \ # currently detects more than 1100 host and network \ # vulnerabilities, portscans, backdoors, and more. # # Source function library. .. /etc/rc.d/init.d/functions # Source the local configuration file .. /etc/sysconfig/snort # Convert the /etc/sysconfig/snort settings to something snort can # use on the startup line. if [ "$ALERTMODE"X = "X" ]; then ALERTMODE="" else ALERTMODE="-A $ALERTMODE" fi if [ "$USER"X = "X" ]; then USER="snort" fi if [ "$GROUP"X = "X" ]; then GROUP="snort" fi if [ "$BINARY_LOG"X = "1X" ]; then BINARY_LOG="-b" else BINARY_LOG="" fi if [ "$CONF"X = "X" ]; then CONF="-c /etc/snort/snort.conf" else CONF="-c $CONF" fi if [ "$INTERFACE"X = "X" ]; then INTERFACE="-i eth0" else INTERFACE="-i $INTERFACE" fi if [ "$DUMP_APP"X = "1X" ]; then DUMP_APP="-d" else DUMP_APP="" fi if [ "$NO_PACKET_LOG"X = "1X" ]; then NO_PACKET_LOG="-N" else NO_PACKET_LOG="" fi if [ "$PRINT_INTERFACE"X = "1X" ]; then PRINT_INTERFACE="-I" else PRINT_INTERFACE="" fi if [ "$PASS_FIRST"X = "1X" ]; then PASS_FIRST="-o" else PASS_FIRST="" fi if [ "$LOGDIR"X = "X" ]; then LOGDIR=/var/log/snort fi ###################################### # Now to the real heart of the matter: # See how we were called. case "$1" in start) echo -n "Starting snort: " cd $LOGDIR if [ "$INTERFACE" = "-i ALL" ]; then for i in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed s/"\/"//g` do mkdir -p "$LOGDIR/$i" chown -R snort:snort $LOGDIR daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST done else daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST fi touch /var/lock/subsys/snort echo ;; stop) echo -n "Stopping snort: " killproc snort rm -f /var/lock/subsys/snort echo ;; reload) echo "Sorry, not implemented yet" ;; restart) $0 stop $0 start ;; condrestart) [ -e /var/lock/subsys/snort ] && /etc/init.d/snortd restart ;; status) status snort ;; *) echo "Usage: $0 {start|stop|reload|restart|condrestart|status}" exit 2 esac exit 0 __________________________________________________ _________________________ /etc/sysconfig/snort # /etc/sysconfig/snort # $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $ #### General Configuration INTERFACE=eth0 CONF=/etc/snort/snort.conf USER=snort GROUP=snort PASS_FIRST=0 #### Logging & Alerting LOGDIR=/var/log/snort ALERTMODE=fast DUMP_APP=1 BINARY_LOG=1 NO_PACKET_LOG=0 PRINT_INTERFACE=0 __________________________________________________ ______________ /etc/snort/snort.conf (password/IP obscured) #-------------------------------------------------- # http://www.snort.org Snort 2.1.0 Ruleset # Contact: snort-sigs@lists.sourceforge.net #-------------------------------------------------- # $Id: snort.conf,v 1.133 2003/12/18 17:05:07 cazz Exp $ # var HOME_NET x.x.x.0/xx # Set up the external network addresses as well. A good start may be "any" var EXTERNAL_NET any # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # List of snmp servers on your network var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 # Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521 # other variables var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] # Path to your rules files (this can be a relative path) var RULE_PATH /etc/snort/rules preprocessor frag2 # stream4: stateful inspection/stream reassembly for Snort #---------------------------------------------------------------------- preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all \ ports { 80 8080 } # rpc_decode: normalize RPC traffic # --------------------------------- preprocessor rpc_decode: 111 32771 # bo: Back Orifice detector preprocessor bo # telnet_decode: Telnet negotiation string normalizer preprocessor telnet_decode ################################################## ################## # Step #3: Configure output plugins # output database: log, mysql, user=snort password=******** dbname=snort host=localhost include classification.config include reference.config ################################################## ################## # Step #4: Customize your rule set include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/experimental.rules # Include any thresholding or suppression commands include threshold.conf ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
