Re: [Snort-users] snort doesn't write to mysql
This is a discussion on Re: [Snort-users] snort doesn't write to mysql within the Snort forums, part of the System Security and Security Related category; Snort is not logging to the database because you are using the -A fast command line argument, this overrides your ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-01-2004
|
|||
|
|||
Re: [Snort-users] snort doesn't write to mysql
Snort is not logging to the database because you are using the -A fast
command line argument, this overrides your configuration file setup. > Hello. > > I'm a newbie, but have checked the FAQs, done lots of searching, asked > other > linux-knowledgeable people, and I still can't figure this out. I've > likely > done something stupid - can anyone help me find it? > > I'm running snort 2.1.0-2 on RedHat 9, with mysql, apache, php and acid. > I > have configured the output database line in snort.conf to point to the > mysql > database, but I see no sign that snort is even attempting to connect to > the > database. > snort and snort-mysql are installed from the binary rpms available from > snort.org; > [root@fsf052 snort]# rpm -qa |grep snort > snort-mysql-2.1.0-2 > snort-2.1.0-2 > > snort appears to be using snort.conf; > ps -ef |grep snort > snort 3849 1 0 16:15 ? 00:00:00 /usr/sbin/snort -A fast -b > -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort > > However, I added "output log_tcpdump: tcpdump.log" to the snort.conf and > found no tcpdump.log when I restarted the service and ran the scanner > against it. Just to be sure, I created the empty file, gave the snort > user > pemissions on it, restarted the service, and ran the scanner again - the > file remained empty. Does this mean the output settings in snort.conf are > being overridden or ignored? > > It is running snort-mysql; > ls -l /usr/sbin |grep snort > lrwxrwxrwx 1 root root 21 Feb 20 10:37 snort -> > /usr/sbin/snort-mysql > -rwxr-xr-x 1 root root 478797 Dec 20 05:22 snort-mysql > -rwxr-xr-x 1 root root 478268 Dec 20 05:28 snort-plain > > Does anyone know how this version was compiled? Do I have to have the > database in a specific location? > > Thanks in advance for any help, > Pam > > I'm including my scripts and config files, basically all default, sorry > for > the length of the e-mail, I've removed a lot of the commented stuff and > examples to make it shorter. Note, my e-mail client is causing stuff to > wrap - there are no carriage returns: > __________________________________________________ _______________________ > /etc/init.d/snortd > > #!/bin/sh > # $Id: snortd,v 1.17 2003/12/20 09:25:37 dwittenb Exp $ > # > # snortd Start/Stop the snort IDS daemon. > # > # chkconfig: 2345 40 60 > # description: snort is a lightweight network intrusion detection tool > that > \ > # currently detects more than 1100 host and network \ > # vulnerabilities, portscans, backdoors, and more. > # > > # Source function library. > . /etc/rc.d/init.d/functions > > # Source the local configuration file > . /etc/sysconfig/snort > > # Convert the /etc/sysconfig/snort settings to something snort can > # use on the startup line. > if [ "$ALERTMODE"X = "X" ]; then > ALERTMODE="" > else > ALERTMODE="-A $ALERTMODE" > fi > > if [ "$USER"X = "X" ]; then > USER="snort" > fi > > if [ "$GROUP"X = "X" ]; then > GROUP="snort" > fi > > if [ "$BINARY_LOG"X = "1X" ]; then > BINARY_LOG="-b" > else > BINARY_LOG="" > fi > > if [ "$CONF"X = "X" ]; then > CONF="-c /etc/snort/snort.conf" > else > CONF="-c $CONF" > fi > > if [ "$INTERFACE"X = "X" ]; then > INTERFACE="-i eth0" > else > INTERFACE="-i $INTERFACE" > fi > > if [ "$DUMP_APP"X = "1X" ]; then > DUMP_APP="-d" > else > DUMP_APP="" > fi > > if [ "$NO_PACKET_LOG"X = "1X" ]; then > NO_PACKET_LOG="-N" > else > NO_PACKET_LOG="" > fi > > if [ "$PRINT_INTERFACE"X = "1X" ]; then > PRINT_INTERFACE="-I" > else > PRINT_INTERFACE="" > fi > > if [ "$PASS_FIRST"X = "1X" ]; then > PASS_FIRST="-o" > else > PASS_FIRST="" > fi > > if [ "$LOGDIR"X = "X" ]; then > LOGDIR=/var/log/snort > fi > > > ###################################### > # Now to the real heart of the matter: > > # See how we were called. > case "$1" in > start) > echo -n "Starting snort: " > cd $LOGDIR > if [ "$INTERFACE" = "-i ALL" ]; then > for i in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed > s/"\/"//g` > do > mkdir -p "$LOGDIR/$i" > chown -R snort:snort $LOGDIR > daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG > $NO_PACKET_LOG > $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i > $PASS_FIRST > done > else > daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG > $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l > $LOGDIR > $PASS_FIRST > fi > touch /var/lock/subsys/snort > echo > ;; > stop) > echo -n "Stopping snort: " > killproc snort > rm -f /var/lock/subsys/snort > echo > ;; > reload) > echo "Sorry, not implemented yet" > ;; > restart) > $0 stop > $0 start > ;; > condrestart) > [ -e /var/lock/subsys/snort ] && /etc/init.d/snortd restart > ;; > status) > status snort > ;; > *) > echo "Usage: $0 {start|stop|reload|restart|condrestart|status}" > exit 2 > esac > > exit 0 > > > __________________________________________________ _________________________ > /etc/sysconfig/snort > > # /etc/sysconfig/snort > # $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $ > > > #### General Configuration > > INTERFACE=eth0 > CONF=/etc/snort/snort.conf > USER=snort > GROUP=snort > PASS_FIRST=0 > > #### Logging & Alerting > > LOGDIR=/var/log/snort > ALERTMODE=fast > DUMP_APP=1 > BINARY_LOG=1 > NO_PACKET_LOG=0 > PRINT_INTERFACE=0 > > > __________________________________________________ ______________ > /etc/snort/snort.conf (password/IP obscured) > > #-------------------------------------------------- > # http://www.snort.org Snort 2.1.0 Ruleset > # Contact: snort-sigs@lists.sourceforge.net > #-------------------------------------------------- > # $Id: snort.conf,v 1.133 2003/12/18 17:05:07 cazz Exp $ > # > > var HOME_NET x.x.x.0/xx > > # Set up the external network addresses as well. A good start may be > "any" > var EXTERNAL_NET any > > # List of DNS servers on your network > var DNS_SERVERS $HOME_NET > > # List of SMTP servers on your network > var SMTP_SERVERS $HOME_NET > > # List of web servers on your network > var HTTP_SERVERS $HOME_NET > > # List of sql servers on your network > var SQL_SERVERS $HOME_NET > > # List of telnet servers on your network > var TELNET_SERVERS $HOME_NET > > # List of snmp servers on your network > var SNMP_SERVERS $HOME_NET > > var HTTP_PORTS 80 > > # Ports you want to look for SHELLCODE on. > var SHELLCODE_PORTS !80 > > # Ports you do oracle attacks on > var ORACLE_PORTS 1521 > > # other variables > var AIM_SERVERS > [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1 > 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] > > # Path to your rules files (this can be a relative path) > var RULE_PATH /etc/snort/rules > > preprocessor frag2 > > # stream4: stateful inspection/stream reassembly for Snort > #---------------------------------------------------------------------- > > preprocessor stream4: disable_evasion_alerts > > preprocessor stream4_reassemble > > preprocessor http_inspect: global \ > iis_unicode_map unicode.map 1252 > > preprocessor http_inspect_server: server default \ > profile all \ > ports { 80 8080 } > > # rpc_decode: normalize RPC traffic > # --------------------------------- > > preprocessor rpc_decode: 111 32771 > > # bo: Back Orifice detector > > preprocessor bo > > # telnet_decode: Telnet negotiation string normalizer > > preprocessor telnet_decode > > ################################################## ################## > # Step #3: Configure output plugins > # > output database: log, mysql, user=snort password=******** dbname=snort > host=localhost > > include classification.config > > include reference.config > > ################################################## ################## > # Step #4: Customize your rule set > > include $RULE_PATH/local.rules > include $RULE_PATH/bad-traffic.rules > include $RULE_PATH/exploit.rules > include $RULE_PATH/scan.rules > include $RULE_PATH/finger.rules > include $RULE_PATH/ftp.rules > include $RULE_PATH/telnet.rules > include $RULE_PATH/rpc.rules > include $RULE_PATH/rservices.rules > include $RULE_PATH/dos.rules > include $RULE_PATH/ddos.rules > include $RULE_PATH/dns.rules > include $RULE_PATH/tftp.rules > > include $RULE_PATH/web-cgi.rules > include $RULE_PATH/web-coldfusion.rules > include $RULE_PATH/web-iis.rules > include $RULE_PATH/web-frontpage.rules > include $RULE_PATH/web-misc.rules > include $RULE_PATH/web-client.rules > include $RULE_PATH/web-php.rules > > include $RULE_PATH/sql.rules > include $RULE_PATH/x11.rules > include $RULE_PATH/icmp.rules > include $RULE_PATH/netbios.rules > include $RULE_PATH/misc.rules > include $RULE_PATH/attack-responses.rules > include $RULE_PATH/oracle.rules > include $RULE_PATH/mysql.rules > include $RULE_PATH/snmp.rules > > include $RULE_PATH/smtp.rules > include $RULE_PATH/imap.rules > include $RULE_PATH/pop2.rules > include $RULE_PATH/pop3.rules > > include $RULE_PATH/nntp.rules > include $RULE_PATH/other-ids.rules > include $RULE_PATH/experimental.rules > > # Include any thresholding or suppression commands > include threshold.conf > > > ------------------------------------------------------- > SF.Net is sponsored by: Speed Start Your Linux Apps Now. > Build and deploy apps & Web services for Linux with > a free DVD software kit from IBM. Click Now! > http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > Thanks, Josh Berry, CISSP CTO, VP of Product Development LinkNet-Solutions 469-831-8543 josh.berry@linknet-solutions.com Thanks, Josh Berry, CISSP CTO, VP of Product Development LinkNet-Solutions 469-831-8543 josh.berry@linknet-solutions.com ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
