[Snort-users] FW: No logs in MYSQL Database but logs on localhost logfiles?
This is a discussion on [Snort-users] FW: No logs in MYSQL Database but logs on localhost logfiles? within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------_=_NextPart_001_01C3FFD5.8CEC945C Content-Type: text/plain; charset="iso-8859-...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-01-2004
|
|||
|
|||
[Snort-users] FW: No logs in MYSQL Database but logs on localhost logfiles?
This is a multi-part message in MIME format.
------_=_NextPart_001_01C3FFD5.8CEC945C Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =20 =20 I sure you all love these posts.. =20 I found my problem... I was spitting out a "-A full" as part of the = cmd line structure in init.d script. This inturn was causing some issue = with snort. Thus I removed the entry and edited the config file for the = output plugin for mysql adding in "detail=3Dfull". =20 I hope this helps the next person that falls in to this little snar. =20 Thanks =20 -----Original Message----- From: Shannon M. Anderson=20 Sent: Monday, March 01, 2004 3:47 PM To: 'snort-users@lists.sourceforge.net' Subject: No logs in MYSQL Database but logs on localhost logfiles? I am working on a Router/Firewall/IDS box. In a default config only = watching a single interface I am able to generate logs to MYSQL = database. But my need was to watch all interfaces for matched traffic, = so after a bit of digging I was able to find and configure the scripts = to watch all interfaces. The local logging seems to be working but I am = now not able to get logs to SQL. Has anyone come across this type of = design/configuration . I want to populate the SQL with all matched = traffic in detail including packet payload and only log FAST "alerts" to = local logging. =20 any thoughts would be welcome =20 =20 below is my config and init.d script. =20 =20 =20 =20 ######################### # CONFIG files start here!!!!!!!! # # =20 =20 =20 ## variable file########### ALERTMODE=3Dfull INTERFACE=3DALL PRINT_INTERFACE=3D1 =20 ###rc.d/init.d/snort############################## #!/bin/bash source /etc/config/rc source $rc_functions source $ssl_conf export CONFDIR=3D$confdir export ROOT=3D$root source $CONFDIR/snort/snort =20 if [ "$ALERTMODE"X =3D "X" ]; then ALERTMODE=3D"" else ALERTMODE=3D"-A $ALERTMODE" fi if [ "$USER"X =3D "X" ]; then USER=3D"snortman" fi =20 if [ "$GROUP"X =3D "X" ]; then GROUP=3D"snortman" fi =20 if [ "$BINARY_LOG"X =3D "1X" ]; then BINARY_LOG=3D"-b" else BINARY_LOG=3D"" fi =20 if [ "$CONF"X =3D "X" ]; then CONF=3D"-c $CONFDIR/snort/snort.conf" else CONF=3D"-c $CONFDIR/$CONF" fi =20 if [ "$INTERFACE"X =3D "X" ]; then INTERFACE=3D"-i eth0" else INTERFACE=3D"-i $INTERFACE" fi =20 if [ "$DUMP_APP"X =3D "1X" ]; then DUMP_APP=3D"-d" else DUMP_APP=3D"" fi =20 if [ "$NO_PACKET_LOG"X =3D "1X" ]; then NO_PACKET_LOG=3D"-N" else NO_PACKET_LOG=3D"" fi =20 if [ "$PRINT_INTERFACE"X =3D "1X" ]; then PRINT_INTERFACE=3D"-I" else PRINT_INTERFACE=3D"" fi =20 if [ "$PASS_FIRST"X =3D "1X" ]; then PASS_FIRST=3D"-o" else PASS_FIRST=3D"" fi =20 if [ "$LOGDIR"X =3D "X" ]; then LOGDIR=3D/var/log/snort fi =20 SNORT_PATH=3D/usr/local/bin =20 ###################################### # Now to the real heart of the matter: # See how we were called. case "$1" in start) echo -n "Starting snort: " cd $LOGDIR if [ "$INTERFACE" =3D "-i ALL" ]; then for i in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed = s/"\/"//g` do mkdir -p "$LOGDIR/$i" chown -R snortman:snortman $LOGDIR $SNORT_PATH/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG = $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l = $LOGDIR/$i $PASS_FIRST done for i in `cd /proc/sys/net/ipv4/conf; ls -d ipsec* |sed = s/"\/"//g` do mkdir -p "$LOGDIR/$i" chown -R snortman:snortman $LOGDIR $SNORT_PATH/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG = $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l = $LOGDIR/$i $PASS_FIRST done else $SNORT_PATH/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG = $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l = $LOGDIR $PASS_FIRST fi touch /var/lock/snort echo ;; stop) echo -n "Stopping snort: " killproc snort rm -f /var/lock/snort echo ;; reload) echo "Sorry, not implemented yet" ;; restart) $0 stop $0 start ;; condrestart) [ -e /var/lock/snort ] && /etc/init.d/snortd restart ;; status) status snort ;; *) echo "Usage: $0 {start|stop|reload|restart|condrestart|status}" exit 2 esac =20 exit 0 =20 ############################## =20 =20 =20 ################################# #Snort Config#### ################################# var DNS_SERVERS 192.168.3.0/24 var HTTP_PORTS 80 var SQL_SERVERS 192.168.3.0/24 var HTTP_SERVERS 192.168.3.0/24 var SHELLCODE_PORTS !80 var PORT_SCAN_NET 65.35.64.161 var ORACLE_PORTS 1521 var HOME_NET 192.168.3.0/24 var AIM_SERVERS = [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,6= 4.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var SMTP_SERVERS 192.168.3.0/24 var TELNET_SERVERS 192.168.3.0/24 var EXTERNAL_NET any =20 preprocessor arpspoof preprocessor stream4: detect_scans detect_state_problems preprocessor frag2 preprocessor telnet_decode preprocessor http_decode: unicode iis_alt_unicode double_encode = iis_flip_slash full_whitespace preprocessor portscan: $PORT_SCAN_NET 4 3 preprocessor bo preprocessor stream4_reassemble: both preprocessor rpc_decode: alert_fragments =20 output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user=3Dsql-access password=3D********** = dbname=3Dids_db host=3D192.168.1.222 sensor_name=3Ddevelopment output database: alert, mysql, user=3Dsql-access password=3D*********** = dbname=3Dids_db host=3D192.168.1.222 sensor_name=3Ddevelopment =20 include /etc/classification.config include /etc/reference.config =20 include /etc/snort/rules/attack-responses.rules include /etc/snort/rules/backdoor.rules include /etc/snort/rules/bad-traffic.rules include /etc/snort/rules/chat.rules include /etc/snort/rules/ddos.rules include /etc/snort/rules/deleted.rules include /etc/snort/rules/dns.rules include /etc/snort/rules/dos.rules include /etc/snort/rules/exploit.rules include /etc/snort/rules/finger.rules include /etc/snort/rules/ftp.rules include /etc/snort/rules/imap.rules include /etc/snort/rules/info.rules include /etc/snort/rules/misc.rules include /etc/snort/rules/multimedia.rules include /etc/snort/rules/mysql.rules include /etc/snort/rules/netbios.rules include /etc/snort/rules/nntp.rules include /etc/snort/rules/oracle.rules include /etc/snort/rules/other-ids.rules include /etc/snort/rules/p2p.rules include /etc/snort/rules/policy.rules include /etc/snort/rules/pop3.rules include /etc/snort/rules/porn.rules include /etc/snort/rules/rpc.rules include /etc/snort/rules/rservices.rules include /etc/snort/rules/scan.rules include /etc/snort/rules/shellcode.rules include /etc/snort/rules/smtp.rules include /etc/snort/rules/snmp.rules include /etc/snort/rules/sql.rules include /etc/snort/rules/telnet.rules include /etc/snort/rules/tftp.rules include /etc/snort/rules/virus.rules include /etc/snort/rules/web-attacks.rules include /etc/snort/rules/web-cgi.rules include /etc/snort/rules/web-client.rules include /etc/snort/rules/web-coldfusion.rules include /etc/snort/rules/web-frontpage.rules include /etc/snort/rules/web-iis.rules include /etc/snort/rules/web-misc.rules include /etc/snort/rules/web-php.rules =20 =20 =20 =20 =20 ############################ Shannon M Anderson Sr. Systems Engineer eCalton.com sanderson@ecalton.com (772)569-4500 ext 226 __________________________________________________ __ "For every action, there is an equal and opposite malfunction." =20 ------_=_NextPart_001_01C3FFD5.8CEC945C Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2800.1276" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV> <DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV> <DIV><SPAN class=3D901274021-01032004><FONT face=3DArial color=3D#0000ff = size=3D2>I sure=20 you all love these posts..</FONT></SPAN></DIV> <DIV><SPAN class=3D901274021-01032004><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D901274021-01032004><FONT face=3DArial color=3D#0000ff = size=3D2>I=20 found my problem... I was spitting out a "-A full" as = part of=20 the cmd line structure in init.d script. This inturn was causing = some=20 issue with snort. Thus I removed the entry and edited the config file = for the=20 output plugin for mysql adding in "detail=3Dfull".</FONT></SPAN></DIV> <DIV><SPAN class=3D901274021-01032004><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D901274021-01032004><FONT face=3DArial color=3D#0000ff = size=3D2>I hope=20 this helps the next person that falls in to this little=20 snar.</FONT></SPAN></DIV> <DIV><SPAN class=3D901274021-01032004><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D901274021-01032004><FONT face=3DArial color=3D#0000ff = size=3D2>Thanks</FONT></SPAN></DIV> <DIV><SPAN class=3D901274021-01032004><FONT face=3DArial color=3D#0000ff = size=3D2></FONT></SPAN> </DIV> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Shannon M. Anderson=20 <BR><B>Sent:</B> Monday, March 01, 2004 3:47 PM<BR><B>To:</B>=20 'snort-users@lists.sourceforge.net'<BR><B>Subject:</B> No logs in MYSQL = Database=20 but logs on localhost logfiles?<BR><BR></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>I am = working on a=20 Router/Firewall/IDS box. In a default config only watching a = single=20 interface I am able to generate logs to MYSQL database. But my need was = to watch=20 all interfaces for matched traffic, so after a bit of digging I was able = to find=20 and configure the scripts to watch all interfaces. The local logging = seems to be=20 working but I am now not able to get logs to SQL. Has anyone come across = this=20 type of design/configuration . I want to populate the SQL with all = matched=20 traffic in detail including packet payload and only log FAST = "alerts" to=20 local logging.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>any = thoughts would=20 be welcome</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>below = is my config=20 and init.d script.</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004>#########################</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004># = CONFIG files start=20 here!!!!!!!!</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004>#<BR>#</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>## = variable=20 file###########</SPAN></FONT></DIV> <DIV><FONT face=3DArial=20 size=3D2>ALERTMODE=3Dfull<BR>INTERFACE=3DALL<BR>PR INT_INTERFACE=3D1</FONT= ></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004>###rc.d/init.d/snort##########################= ####</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004>#!/bin/bash<BR>source = /etc/config/rc<BR>source=20 $rc_functions<BR>source $ssl_conf<BR>export CONFDIR=3D$confdir<BR>export = ROOT=3D$root<BR>source $CONFDIR/snort/snort</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>if [ = "$ALERTMODE"X =3D=20 "X" ]; then<BR> = ALERTMODE=3D""<BR>else<BR> =20 ALERTMODE=3D"-A $ALERTMODE"<BR>fi<BR>if [ "$USER"X =3D "X" ];=20 then<BR> USER=3D"snortman"<BR>fi</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>if [ = "$GROUP"X =3D "X"=20 ]; then<BR> = GROUP=3D"snortman"<BR>fi</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>if [ = "$BINARY_LOG"X=20 =3D "1X" ]; then<BR> =20 BINARY_LOG=3D"-b"<BR>else<BR> =20 BINARY_LOG=3D""<BR>fi</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>if [ = "$CONF"X =3D "X"=20 ]; then<BR> CONF=3D"-c=20 $CONFDIR/snort/snort.conf"<BR>else<BR> CONF=3D"-c=20 $CONFDIR/$CONF"<BR>fi</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>if [ = "$INTERFACE"X =3D=20 "X" ]; then<BR> INTERFACE=3D"-i=20 eth0"<BR>else<BR> INTERFACE=3D"-i=20 $INTERFACE"<BR>fi</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>if [ = "$DUMP_APP"X =3D=20 "1X" ]; then<BR> = DUMP_APP=3D"-d"<BR>else<BR> =20 DUMP_APP=3D""<BR>fi</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>if [=20 "$NO_PACKET_LOG"X =3D "1X" ]; then<BR> =20 NO_PACKET_LOG=3D"-N"<BR>else<BR> =20 NO_PACKET_LOG=3D""<BR>fi</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>if [=20 "$PRINT_INTERFACE"X =3D "1X" ]; then<BR> =20 PRINT_INTERFACE=3D"-I"<BR>else<BR> =20 PRINT_INTERFACE=3D""<BR>fi</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>if [ = "$PASS_FIRST"X=20 =3D "1X" ]; then<BR> =20 PASS_FIRST=3D"-o"<BR>else<BR> =20 PASS_FIRST=3D""<BR>fi</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>if [ = "$LOGDIR"X =3D=20 "X" ]; then<BR> =20 LOGDIR=3D/var/log/snort<BR>fi</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004>SNORT_PATH=3D/usr/local/bin</SPAN></FONT></DIV= > <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004>######################################<BR ># = Now to the=20 real heart of the matter:<BR># See how we were called.<BR>case "$1"=20 in<BR> start)<BR> &nbs p; = echo -n=20 "Starting snort: "<BR>   ; cd=20 $LOGDIR<BR> &nb sp; if [ "$INTERFACE" = =3D "-i=20 ALL" ];=20 then<BR>  = ; for i=20 in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed=20 s/"\/"//g`<BR> &n bsp;  = ; =20 do<BR> &n bsp; &= nbsp; =20 mkdir -p=20 "$LOGDIR/$i"<BR> & nbsp; &nb= sp; =20 chown -R snortman:snortman=20 $LOGDIR<BR> &nb sp; &n= bsp; =20 $SNORT_PATH/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D=20 $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i=20 $PASS_FIRST<BR>   ; &nbs= p; =20 done<BR>  = ; for i=20 in `cd /proc/sys/net/ipv4/conf; ls -d ipsec* |sed=20 s/"\/"//g`<BR> &n bsp;  = ; =20 do<BR> &n bsp; &= nbsp; =20 mkdir -p=20 "$LOGDIR/$i"<BR> & nbsp; &nb= sp; =20 chown -R snortman:snortman=20 $LOGDIR<BR> &nb sp; &n= bsp; =20 $SNORT_PATH/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D=20 $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i=20 $PASS_FIRST<BR>   ; &nbs= p; =20 done<BR> =20 else<BR> =20 $SNORT_PATH/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D=20 $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR=20 $PASS_FIRST<BR>   ; =20 fi<BR> touch=20 /var/lock/snort<BR>   ;=20 echo<BR> ;;<BR> =20 stop)<BR>   ; echo -n "Stopping = snort:=20 "<BR>   ; killproc=20 snort<BR>   ; rm -f=20 /var/lock/snort<BR>   ;=20 echo<BR> ;;<BR> =20 reload)<BR> &nb sp; echo "Sorry, not=20 implemented yet"<BR> =20 ;;<BR> = restart)<BR> &n bsp; $0=20 stop<BR> $0=20 start<BR>   ; ;;<BR> =20 condrestart)<BR> &nbs p; [ -e=20 /var/lock/snort ] && /etc/init.d/snortd=20 restart<BR> &nb sp; = ;;<BR> =20 status)<BR> &nb sp; status=20 snort<BR>   ; ;;<BR> =20 *)<BR> echo "Usage: $0=20 {start|stop|reload|restart|condrestart|status}"<BR > &nbs= p; =20 exit 2<BR> esac</SPAN></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN = class=3D121392120-01032004> exit=20 0<BR></SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004>##############################</SPAN></FONT></= DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004></SPAN></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004>#################################</SPAN></FONT= ></DIV> <DIV><FONT face=3DArial size=3D2><SPAN class=3D121392120-01032004>#Snort = Config####</SPAN></FONT></DIV> <DIV><FONT face=3DArial size=3D2><SPAN=20 class=3D121392120-01032004>#################################</SPAN></FONT= ></DIV> <DIV><FONT face=3DArial size=3D2>var DNS_SERVERS 192.168.3.0/24<BR>var = HTTP_PORTS=20 80<BR>var SQL_SERVERS 192.168.3.0/24<BR>var HTTP_SERVERS = 192.168.3.0/24<BR>var=20 SHELLCODE_PORTS !80<BR>var PORT_SCAN_NET 65.35.64.161<BR>var = ORACLE_PORTS=20 1521<BR>var HOME_NET 192.168.3.0/24<BR>var AIM_SERVERS=20 [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,6= 4.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]<BR>var=20 SMTP_SERVERS 192.168.3.0/24<BR>var TELNET_SERVERS 192.168.3.0/24<BR>var=20 EXTERNAL_NET any</FONT></DIV> <DIV> </DIV> <DIV><BR><FONT face=3DArial size=3D2>preprocessor = arpspoof<BR>preprocessor stream4:=20 detect_scans detect_state_problems<BR>preprocessor frag2<BR>preprocessor = telnet_decode<BR>preprocessor http_decode: unicode iis_alt_unicode = double_encode=20 iis_flip_slash full_whitespace<BR>preprocessor portscan: $PORT_SCAN_NET = 4=20 3<BR>preprocessor bo<BR>preprocessor stream4_reassemble: = both<BR>preprocessor=20 rpc_decode: alert_fragments</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>output alert_syslog: LOG_AUTH = LOG_ALERT<BR>output=20 database: log, mysql, user=3Dsql-access password=3D<SPAN=20 class=3D121392120-01032004>**********</SPAN> dbname=3Dids_db = host=3D192.168.1.222=20 sensor_name=3Ddevelopment<BR>output database: alert, mysql, = user=3Dsql-access=20 password=3D<SPAN class=3D121392120-01032004>***********</SPAN> = dbname=3Dids_db=20 host=3D192.168.1.222 sensor_name=3Ddevelopment</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>include = /etc/classification.config<BR>include=20 /etc/reference.config</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>include=20 /etc/snort/rules/attack-responses.rules<BR>include=20 /etc/snort/rules/backdoor.rules<BR>include=20 /etc/snort/rules/bad-traffic.rules<BR>include=20 /etc/snort/rules/chat.rules<BR>include = /etc/snort/rules/ddos.rules<BR>include=20 /etc/snort/rules/deleted.rules<BR>include = /etc/snort/rules/dns.rules<BR>include=20 /etc/snort/rules/dos.rules<BR>include = /etc/snort/rules/exploit.rules<BR>include=20 /etc/snort/rules/finger.rules<BR>include = /etc/snort/rules/ftp.rules<BR>include=20 /etc/snort/rules/imap.rules<BR>include = /etc/snort/rules/info.rules<BR>include=20 /etc/snort/rules/misc.rules<BR>include=20 /etc/snort/rules/multimedia.rules<BR>include=20 /etc/snort/rules/mysql.rules<BR>include=20 /etc/snort/rules/netbios.rules<BR>include = /etc/snort/rules/nntp.rules<BR>include=20 /etc/snort/rules/oracle.rules<BR>include=20 /etc/snort/rules/other-ids.rules<BR>include=20 /etc/snort/rules/p2p.rules<BR>include = /etc/snort/rules/policy.rules<BR>include=20 /etc/snort/rules/pop3.rules<BR>include = /etc/snort/rules/porn.rules<BR>include=20 /etc/snort/rules/rpc.rules<BR>include=20 /etc/snort/rules/rservices.rules<BR>include=20 /etc/snort/rules/scan.rules<BR>include=20 /etc/snort/rules/shellcode.rules<BR>include=20 /etc/snort/rules/smtp.rules<BR>include = /etc/snort/rules/snmp.rules<BR>include=20 /etc/snort/rules/sql.rules<BR>include = /etc/snort/rules/telnet.rules<BR>include=20 /etc/snort/rules/tftp.rules<BR>include = /etc/snort/rules/virus.rules<BR>include=20 /etc/snort/rules/web-attacks.rules<BR>include=20 /etc/snort/rules/web-cgi.rules<BR>include=20 /etc/snort/rules/web-client.rules<BR>include=20 /etc/snort/rules/web-coldfusion.rules<BR>include=20 /etc/snort/rules/web-frontpage.rules<BR>include=20 /etc/snort/rules/web-iis.rules<BR>include=20 /etc/snort/rules/web-misc.rules<BR>include=20 /etc/snort/rules/web-php.rules<BR></FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial = size=3D2>############################</FONT></DIV> <DIV><FONT face=3D"Deftone Stylus" size=3D5>Shannon M = Anderson</FONT></DIV> <DIV><FONT face=3DArial size=3D2>Sr. Systems Engineer</FONT></DIV> <DIV><FONT face=3DArial size=3D2>eCalton.com</FONT></DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"mailto:sanderson@ecalton.com">sanderson@ec alton.com</A></FONT></D= IV> <DIV><FONT face=3DArial size=3D2>(772)569-4500 ext 226</FONT></DIV> <DIV><FONT face=3DArial=20 size=3D2>_________________________________________ ___________</FONT></DIV= > <DIV><FONT face=3DArial size=3D2>"For every action, there is an equal = and opposite=20 malfunction."</FONT></DIV> <DIV> </DIV></BODY></HTML> ------_=_NextPart_001_01C3FFD5.8CEC945C-- ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
