[Snort-users] Trouble to log trace into database

permalink · #1 (**permalink**) 11-06-2004

This is a multi-part message in MIME format.

------=_NextPart_000_001C_01C4C36F.51F71530
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi,

I have a trace file with some packets I am trying to analyze. I am trying to
load the trace into a mysql database but nothing gets logged.

My rules file looks like this:

# RULES

log tcp any any -> any any

log udp any any -> any any

And if I just run snort without loading from file, this rules logs every tcp
and udp header just fine into the database. Now when I run:

C:\Snort\bin>snort -r c:\trace.eth -c c:\Snort\etc\snort-mod.conf \

-l c:\Snort\log

I do not get any error but nothing gets logged to the database. See below
Can anyone give me a hint of what am I doing wrong?

Thanks,

J

================================================== ====================

database: compiled support for ( mysql odbc )

database: configured to use mysql

database: user = snort

database: password is set

database: database name = snort

database: host = localhost

database: sensor name = TRUSS:[reading from a file]

database: sensor id = 2

database: schema version = 106

database: using the "log" facility

2 Snort rules read...

2 Option Chains linked into 2 Chain Headers 0 Dynamic rules

++++++++++++++++++++++++++++++++++++++++++++++++++ +

+-----------------------[thresholding-config]---------------------------

+-------

| memory-cap : 1048576 bytes

+-----------------------[thresholding-global]---------------------------

+-------

| none

+-----------------------[thresholding-local]----------------------------

+-------

| none

+-----------------------[suppression]-----------------------------------

+-------

| none

----------------------------------------------------------------------------
---

Rule application order: ->activation->dynamic->alert->pass->log

--== Initialization Complete ==-- -*> Snort! <*- Version
2.2.0-ODBC-MySQL-FlexRESP-WIN32 (Build 30) By Martin Roesch
(roesch@sourcefire.com, www.snort.org)

1.7-WIN32 Port By Michael Davis (mike@datanerds.net,
www.datanerds.net/~mike)

1.8 - 2.x WIN32 Port By Chris Reid (chris.reid@codecraftconsultants.com)

Run time for packet processing was 0.501000 seconds
================================================== ==========================

Snort processed 84158 packets.

================================================== =========================

Breakdown by protocol:

TCP: 53451 (17.356%)

UDP: 28239 (37.124%)

ICMP: 13803 (1.561%)

ARP: 3240 (0.231%)

EAPOL: 0 (0.000%)

IPv6: 0 (0.000%)

IPX: 0 (0.000%)

OTHER: 8916 (1.008%)

DISCARD: 377709 (42.720%)

================================================== ==========================
===

Action Stats:

ALERTS: 0

LOGGED: 0

PASSED: 0

================================================== ==========================
===

Final Flow Statistics

,----[ FLOWCACHE STATS ]----------

Memcap: 10485760 Overhead Bytes 16400 used(%0.156403)/blocks (16400/1)
Overhead

blocks: 1 Could Hold: (0)

IPV4 count: 0 frees: 0 low_time: 0, high_time: 0, diff: 0h:00:00s

finds: 0 reversed: 0(%0.000000)

find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 0

database: Closing connection to database ""

Snort exiting

------=_NextPart_000_001C_01C4C36F.51F71530
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>

</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

Hi,<o:p></o:p>

I have a trace file =
with
some packets I am trying to analyze. I am trying to load the trace into =
a mysql
database but nothing gets logged. <o:p></o:p>

My rules file looks =
like
this:<o:p></o:p>

# =
RULES<o:p></o:p>

log tcp any any =
-> any
any<o:p></o:p>

log udp any any =
-> any
any<o:p></o:p>

<o:p> </o:p>

And if I just run =
snort
without loading from file, this rules logs every tcp and udp header just =
fine
into the database. Now when I run:<o:p></o:p>

C:\Snort\bin>snort -r c:\trace.eth
-c c:\Snort\etc\snort-mod.conf \<o:p></o:p>

      -l =
c:\Snort\log<o:p></o:p>

<o:p> </o:p>

I do not get any =
error but
nothing gets logged to the database. See below Can anyone give me a hint =
of
what am I doing wrong?<o:p></o:p>

<o:p> </o:p>

Thanks,<o:p></o:p>

J<o:p></o:p>

<o:p> </o:p>

<o:p> </o:p>

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D<o:p></=
o:p>

database: compiled =
support
for ( mysql odbc )<o:p></o:p>

database: =
configured to use
mysql<o:p></o:p>

database:     &nbsp ;    =
user =3D
snort<o:p></o:p>

database: password =
is set<o:p></o:p>

database: database =
name =3D
snort<o:p></o:p>

database:     &nbsp ;    =
host =3D
localhost<o:p></o:p>

database:   sensor name =3D
TRUSS:[reading from a file]<o:p></o:p>

database:     sensor id =3D =
2<o:p></o:p>

database: schema =
version =3D
106<o:p></o:p>

database: using the
"log" facility<o:p></o:p>

2 Snort rules =
read...<o:p></o:p>

2 Option Chains =
linked into
2 Chain Headers 0 Dynamic rules<o:p></o:p>

++++++++++++++++++++++++++++++++++++++++++++ +++++++<o:p></o:p></spa=
n>

+-----------------------[thresholding-config]----------------------=
-----<o:p></o:p>

+-------<o:p></o:p>

| memory-cap : =
1048576 bytes<o:p></o:p>

+-----------------------[thresholding-global]----------------------=
-----<o:p></o:p>

+-------<o:p></o:p>

| =
none<o:p></o:p>

+-----------------------[thresholding-local]-----------------------=
-----<o:p></o:p>

+-------<o:p></o:p>

| =
none<o:p></o:p>

+-----------------------[suppression]------------------------------=
-----<o:p></o:p>

+-------<o:p></o:p>

| =
none<o:p></o:p>

-------------------------------------------------------------------=
------------<o:p></o:p>

Rule application =
order:
->activation->dynamic->alert->pass->log<o:p></o:p><=
/font>

        --=3D=3D Initialization
Complete =3D=3D-- -*> Snort! <*- Version =
2.2.0-ODBC-MySQL-FlexRESP-WIN32
(Build 30) By Martin Roesch (roesch@sourcefire.com, <a =
href=3D"www.snort.org">www.snort.org</a>)<o:p></o:p>

1.7-WIN32 Port By =
Michael
Davis (mike@datanerds.net, <a =
href=3D"www.datanerds.net/~mike">www.datanerds.net/~mike</a>)<o:p></o:p><=
/span>

1.8 - 2.x WIN32 =
Port By
Chris Reid =
(chris.reid@codecraftconsultants.com)<o:p></o:p>

Run time for packet
processing was 0.501000 seconds =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D<o:p></o:p>

Snort processed =
84158
packets.<o:p></o:p>

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D<o:p></o:p>

Breakdown by =
protocol:<o:p></o:p>

    =
TCP: 53451     =
(17.356%)<o:p></o:p>

    =
UDP: 28239     =
(37.124%)<o:p></o:p>

   ICMP: =
13803      =
(1.561%)<o:p></o:p>

    =
ARP: 3240       =
(0.231%)<o:p></o:p>

  EAPOL: =
0        & nbsp; =
(0.000%)<o:p></o:p>

   IPv6: =
0        & nbsp; =
(0.000%)<o:p></o:p>

    =
IPX: 0        & nbsp; =
(0.000%)<o:p></o:p>

  OTHER: =
8916       =
(1.008%)<o:p></o:p>

DISCARD: =
377709    
(42.720%)<o:p></o:p>

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D<o:p></o:p>

Action =
Stats:<o:p></o:p>

ALERTS: =
0<o:p></o:p>

LOGGED: =
0<o:p></o:p>

PASSED: =
0<o:p></o:p>

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D<o:p></o:p>

Final Flow =
Statistics<o:p></o:p>

,----[ FLOWCACHE =
STATS
]----------<o:p></o:p>

Memcap: 10485760 =
Overhead
Bytes 16400 used(%0.156403)/blocks (16400/1) =
Overhead<o:p></o:p>

blocks: 1 Could =
Hold: (0)<o:p></o:p>

IPV4 count: 0 =
frees: 0
low_time: 0, high_time: 0, diff: 0h:00:00s<o:p></o:p>

    =
finds: 0 reversed:
0(%0.000000)<o:p></o:p>

    =
find_sucess: 0
find_fail: 0 percent_success: (%0.000000) new_flows: =
0<o:p></o:p>

database: Closing =
connection
to database ""<o:p></o:p>

Snort =
exiting<o:p></o:p>

<o:p> </o:p>

<o:p> </o:p>

</div>

</body>

</html>

------=_NextPart_000_001C_01C4C36F.51F71530--

-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode