Snort mailing list archives
******unsubscribe******
From: "Ryan McClure (Systems Admin) - United Shipping" <rmcclure () unitedshipping com>
Date: Thu, 10 May 2001 14:43:37 -0600
-----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Thursday, May 10, 2001 2:17 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #630 - 8 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit http://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Snort + Acid w/ MySQL question(s) (roman () danyliw com) 2. unsubscribe (Ryan McClure (Systems Admin) - United Shipping) 3. Re: loggin issue (roman () danyliw com) 4. Rules vs performance (Robinson, Ken) 5. RE: Rules vs performance (Kevin Brown) 6. Re: Rule Managment Tool (shawn . moyer) 7. RE: Rule Managment Tool (Jeff Dell) 8. RE: New Conundrum (Kevin Brown) --__--__-- Message: 1 To: alexus <ml () db nexgen com> Cc: snort-users () lists sourceforge net From: roman () danyliw com Subject: Re: [Snort-users] Snort + Acid w/ MySQL question(s) Date: Thu, 10 May 2001 15:18:07 US/Eastern One observation: - ACID 0.9.5 does not use ADODB. This DB abstraction was introduced in 0.9.6b2 (Jan 2001). Hence, this addition into acid_conf.php will be ignored. Two recommendations: - are you sure that you have CREATE permissions on the DB user set in acid_conf.php? If all else fails, try using the "create_acid_tbls_mysql.sql" to manually create the ACID tables. - upgrade to a more recent version of ACID => 0.9.6b9. There are significant feature improvements as well as bug fixes. If you prefer an older version, upgrade to at least 0.9.6b1 for it has a number of important bug fixes cheers, Roman
I'm using the following: FreeBSD 4.3 - RELEASE (STABLE) ACID-0.9.5 - RELEASE (STABLE) ADODB v1.0.1 - RELEASE (STABLE) PHP - 4.0.5 - RELEASE (STABLE) APACHE - 1.3.19 - RELEASE (STABLE) SNORT - 1.7 - RELEASE (STABLE) to compile snort i used following line: ../configure --with-mysql=/usr/local/mysql;make;make install i did change acid_conf.php i put path to adodb in adodb i put local path in adodb.inc.php when i go to http://localhost/acid it redirects me to acid_main.php and
when
it gets there i get this: The underlying database alexus@localhost apears to be invalid. The database version is valid, but the ACID DB structure (table: acid_ag)
is
not present. Use the Setup page to configure and optimize the DB when i click on "Setup page" in status window i get "DONE" for "Search Indexes" and i have "Create ACID AG" for "ACID tables" i'm assuming i need to click on "Create ACID AG",
when
I do that nothing happenes, it won't disappear or it won't change status
to
"DONE".. what am i missing? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ --__--__-- Message: 2 From: "Ryan McClure (Systems Admin) - United Shipping" <rmcclure () unitedshipping com> To: snort-users () lists sourceforge net Date: Thu, 10 May 2001 13:33:14 -0600 Subject: [Snort-users] unsubscribe -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Thursday, May 10, 2001 1:06 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #629 - 4 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit http://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: High CPU (Jon Bentley) 2. Re: alert message containing info from the packet? (Andreas Hasenack) 3. loggin issue (Koaps) 4. Re: snort pgsql keepalive (roman () danyliw com) -- __--__-- Message: 1 From: "Jon Bentley" <jon () ascendanttech com> To: "Steve" <stlukacs () mb sympatico ca>, <snort-users () lists sourceforge net> Subject: Re: [Snort-users] High CPU Date: Thu, 10 May 2001 13:22:31 -0400 Hi, Steve. What type of system are you running on, and how many packets are you generating? ----- Original Message ----- From: "Steve" <stlukacs () mb sympatico ca> To: <snort-users () lists sourceforge net> Sent: Thursday, May 10, 2001 12:40 PM Subject: [Snort-users] High CPU
I am currently testing snort 1.7 and find the CPU to be very high (87%). I am running 1.6.3 in production and the CPU is about 9%... I've disabled
all
pre-processors, turned on binary loggind and have seen no change... anyone experienced this? Thank-you Steve Lukacs Qunara _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- __--__-- Message: 2 Date: Thu, 10 May 2001 14:58:26 -0300 From: Andreas Hasenack <andreas () netbank com br> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] alert message containing info from the packet? Em Thu, May 10, 2001 at 12:08:09PM -0300, Andreas Hasenack escreveu:
Would it be feasable for snort's alert messages to contain some information from the packet that caused the alert?
Answering to myself, this would probably be better handled with the analysis tool... -- __--__-- Message: 3 From: "Koaps" <koaps () 2nutz com> To: "Snort" <snort-users () lists sourceforge net> Date: Thu, 10 May 2001 11:27:56 -0700 Subject: [Snort-users] loggin issue I don't get it.... I have Snort 1.7 on OpenBSd it's telling me it's seeing Packets, it's sending alerts, but I see no data in mysql.... ============================================================================ === Snort received 5065 packets and dropped 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 5048 (99.664%) ALERTS: 7 UDP: 0 (0.000%) LOGGED: 7 ICMP: 12 (0.237%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) ======================================= connect info Initializing rule chains... database: compiled support for ( mysql ) database: configured to use mysql database: user = ids database: password is set database: database name = snortdb database: host = 192.168.69.5 database: sensor name = 192.168.69.12 database: sensor id = 2 database: using the "log" facility 796 Snort rules read... 796 Option Chains linked into 114 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ I am using ACID to look at the SnortDB I can see it's registered in the database as a sensor... I just see no data from it L8rZ, )\_/( < o,0 > ~ \ / KoAps -- __--__-- Message: 4 To: Alexandre Dulaunoy <adulau-snort () colorado g-inter net> Cc: snort-users () lists sourceforge net From: roman () danyliw com Subject: Re: [Snort-users] snort pgsql keepalive Date: Thu, 10 May 2001 15:02:21 US/Eastern I did some checking on Snort behavior when the DB server dies: Snort 1.7: alerts dropped Snort 1.8: alert dropped, Snort issues FatalError(), quits In either case, the behavior is incorrect. The fact that 1.8 quits instead of merely dropping (ala 1.7) is immaterial since neither version will cache dropped alerts. Thus, without caching there is no reason to even keep the sensor up, since no logging is occuring (unless you have other logging mechanisms other than the DB-plugin). I believe that the correct action is to attempt a re-connect to the DB when Snort detects a disconnect (i.e. when either the Select() or Insert() fails with the appropriate error code, call Connect() again, if this fails only then FatalError() ). Roman
Hello, When the sensor got a connection to the postmaster (postgres) and if the postmaster goes down, the sensor will stop. Is there anyway to keep the sensor up and when the connection are coming back of the postmaster ? like a keepalive and reconnect... Thanks alx -- --- Alexandre J.D. Dulaunoy | "Engineering is the implementation of science; AD993-RIPE | Politics is the implementation of faith". http://www.foo.be/ | Another usenet quote... _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ -- __--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net http://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest --__--__-- Message: 3 To: Koaps <koaps () 2nutz com> Cc: snort-users () lists sourceforge net From: roman () danyliw com Subject: Re: [Snort-users] loggin issue Date: Thu, 10 May 2001 15:35:26 US/Eastern Is it logging anywhere else (e.g. to a file)? What does you command line look like? Does it have a "-A", if so remove it. Roman
I don't get it.... I have Snort 1.7 on OpenBSd it's telling me it's seeing Packets, it's sending alerts, but I see no
data
in mysql....
============================================================================
=== Snort received 5065 packets and dropped 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 5048 (99.664%) ALERTS: 7 UDP: 0 (0.000%) LOGGED: 7 ICMP: 12 (0.237%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) ======================================= connect info Initializing rule chains... database: compiled support for ( mysql ) database: configured to use mysql database: user = ids database: password is set database: database name = snortdb database: host = 192.168.69.5 database: sensor name = 192.168.69.12 database: sensor id = 2 database: using the "log" facility 796 Snort rules read... 796 Option Chains linked into 114 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ I am using ACID to look at the SnortDB I can see it's registered in the database as a sensor... I just see no data from it L8rZ, )\_/( < o,0 > ~ \ / KoAps _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ --__--__-- Message: 4 From: "Robinson, Ken" <ken.robinson () ccra-adrc gc ca> To: "Snort List (E-mail)" <snort-users () lists sourceforge net> Date: Thu, 10 May 2001 15:41:30 -0400 Subject: [Snort-users] Rules vs performance Hello, Are there any rule-of-thumb, or such on how the number of Snort rules affects the performance? In doing some lab tests, we found that has the amount of traffic went up, we detected fewer and fewer test attacks. CPU usage was high, but not peaked right out. The lab boxes were PIII 800Mhz systems with 100Mbit NICs and 256Meg RAM. I don't know of the misses were due to an issue with the hardware (NIC missing packets?), or if there were too many rules to sort through for the Snort software, or too much logging? We've looked through the snort rules from Whitehats and found many cases were we could reduce the rules by either dropping them (i.e. don't care), reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping instead of detecting which OS), or making groups of them as activate rules (i.e. the DeepThroat backdoor rules). We could also use the Activate rules to log the next 50 packets and then run a full set or rules on those logged packets. So, any advise for us? Should we use Activate rules as much as possible? Should we generalize rules? Or is all of this not going to make much of a difference? Thanks. ---- Ken Robinson --__--__-- Message: 5 Date: Thu, 10 May 2001 12:53:00 -0700 From: Kevin Brown <Kevin.M.Brown () asu edu> Subject: RE: [Snort-users] Rules vs performance To: "'Robinson, Ken'" <ken.robinson () ccra-adrc gc ca>, "Snort List (E-mail)" <snort-users () lists sourceforge net> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D98A.D121EE70 Content-Type: text/plain; charset="iso-8859-1" I know on the Intel box I was testing out (PII 450 256MB) on a 100Mb/s link the snort was clocking 40% of the cpu with absolutely no rules or plugins. I don't remember the specifics, but I was removing rules from the list till snort dropped to 80% or less and of the ruleset of 400 rules I had to drop all but 50 I believe to get it down. I'm currently using a Sparc 500 and it is clocking 50% of the CPU (same link) with the full ruleset in place (snort1.8b5 build 20). I downloaded top and compiled it and just watch the processes and notice that with just the database and spp plugins snort is slowing eating up my 1GB of memory. I don't know if that is a memory leak or just a lot of memory caching going on within snort. -----Original Message----- From: Robinson, Ken [mailto:ken.robinson () ccra-adrc gc ca] Sent: Thursday, May 10, 2001 12:42 To: Snort List (E-mail) Subject: [Snort-users] Rules vs performance Hello, Are there any rule-of-thumb, or such on how the number of Snort rules affects the performance? In doing some lab tests, we found that has the amount of traffic went up, we detected fewer and fewer test attacks. CPU usage was high, but not peaked right out. The lab boxes were PIII 800Mhz systems with 100Mbit NICs and 256Meg RAM. I don't know of the misses were due to an issue with the hardware (NIC missing packets?), or if there were too many rules to sort through for the Snort software, or too much logging? We've looked through the snort rules from Whitehats and found many cases were we could reduce the rules by either dropping them (i.e. don't care), reducing them (i.e. all the ICMP Itype 8 could just be recorded as ping instead of detecting which OS), or making groups of them as activate rules (i.e. the DeepThroat backdoor rules). We could also use the Activate rules to log the next 50 packets and then run a full set or rules on those logged packets. So, any advise for us? Should we use Activate rules as much as possible? Should we generalize rules? Or is all of this not going to make much of a difference? Thanks. ---- Ken Robinson _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------_=_NextPart_001_01C0D98A.D121EE70 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>RE: [Snort-users] Rules vs performance</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I know on the Intel box I was testing out (PII 450 = 256MB) on a 100Mb/s link the snort was clocking 40% of the cpu with = absolutely no rules or plugins. I don't remember the specifics, = but I was removing rules from the list till snort dropped to 80% or = less and of the ruleset of 400 rules I had to drop all but 50 I believe = to get it down. I'm currently using a Sparc 500 and it is = clocking 50% of the CPU (same link) with the full ruleset in place = (snort1.8b5 build 20). I downloaded top and compiled it and just = watch the processes and notice that with just the database and spp = plugins snort is slowing eating up my 1GB of memory. I don't know = if that is a memory leak or just a lot of memory caching going on = within snort.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Robinson, Ken [<A = HREF=3D"mailto:ken.robinson () ccra-adrc gc ca">mailto:ken.robinson@ccra-ad= rc.gc.ca</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Thursday, May 10, 2001 12:42</FONT> <BR><FONT SIZE=3D2>To: Snort List (E-mail)</FONT> <BR><FONT SIZE=3D2>Subject: [Snort-users] Rules vs performance</FONT> </P> <BR> <P><FONT SIZE=3D2>Hello,</FONT> </P> <P><FONT SIZE=3D2>Are there any rule-of-thumb, or such on how the = number of Snort rules</FONT> <BR><FONT SIZE=3D2>affects the performance? </FONT> </P> <P><FONT SIZE=3D2>In doing some lab tests, we found that has the amount = of traffic went up, we</FONT> <BR><FONT SIZE=3D2>detected fewer and fewer test = attacks. CPU usage was high, but not</FONT> <BR><FONT SIZE=3D2>peaked right out. The lab = boxes were PIII 800Mhz systems with 100Mbit</FONT> <BR><FONT SIZE=3D2>NICs and 256Meg RAM. </FONT> </P> <P><FONT SIZE=3D2>I don't know of the misses were due to an issue with = the hardware (NIC</FONT> <BR><FONT SIZE=3D2>missing packets?), or if there were too many rules = to sort through for the</FONT> <BR><FONT SIZE=3D2>Snort software, or too much logging? </FONT> </P> <P><FONT SIZE=3D2>We've looked through the snort rules from Whitehats = and found many cases</FONT> <BR><FONT SIZE=3D2>were we could reduce the rules by either dropping = them (i.e. don't care),</FONT> <BR><FONT SIZE=3D2>reducing them (i.e. all the ICMP Itype 8 could just = be recorded as ping</FONT> <BR><FONT SIZE=3D2>instead of detecting which OS), or making = groups of them as activate rules</FONT> <BR><FONT SIZE=3D2>(i.e. the DeepThroat backdoor = rules). We could also use the Activate</FONT> <BR><FONT SIZE=3D2>rules to log the next 50 packets and then run a full = set or rules on those</FONT> <BR><FONT SIZE=3D2>logged packets. </FONT> </P> <P><FONT SIZE=3D2>So, any advise for us? Should we use = Activate rules as much as possible?</FONT> <BR><FONT SIZE=3D2>Should we generalize rules? Or is all of = this not going to make much of a</FONT> <BR><FONT SIZE=3D2>difference? </FONT> </P> <P><FONT SIZE=3D2>Thanks. </FONT> </P> <P><FONT SIZE=3D2>----</FONT> <BR><FONT SIZE=3D2>Ken Robinson</FONT> </P> <BR> <BR> <BR> <P><FONT = SIZE=3D2>_______________________________________________</FONT> <BR><FONT SIZE=3D2>Snort-users mailing list</FONT> <BR><FONT SIZE=3D2>Snort-users () lists sourceforge net</FONT> <BR><FONT SIZE=3D2>Go to this URL to change user options or = unsubscribe:</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"http://lists.sourceforge.net/lists/listinfo/snort-users" = TARGET=3D"_blank">http://lists.sourceforge.net/lists/listinfo/snort-user= s</A></FONT> <BR><FONT SIZE=3D2>Snort-users list archive:</FONT> <BR><FONT SIZE=3D2><A = HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users" = TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-u= sers</A></FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D98A.D121EE70-- --__--__-- Message: 6 Date: Thu, 10 May 2001 14:54:31 -0500 From: "shawn . moyer" <shawn () net-connect net> To: Cedric Guillotin <guillo_c () fluxus net> Cc: Jeff Dell <jdell () teleplace com>, snort-users () lists sourceforge net Subject: Re: [Snort-users] Rule Managment Tool By the way, I pulled this down, still twiddling with it, but the first thing I noticed is it needs MSCOMCTL.OCX -- I dl'd this from: http://www.microxl.com/wintersasj/download/mscomctl.zip --shawn -- s h a w n m o y e r shawn () net-connect net "May the forces of evil become confused on the way to your house." --George Carlin --__--__-- Message: 7 From: Jeff Dell <jdell () teleplace com> To: "'shawn . moyer'" <shawn () net-connect net>, Cedric Guillotin <guillo_c () fluxus net> Cc: Jeff Dell <jdell () teleplace com>, snort-users () lists sourceforge net Subject: RE: [Snort-users] Rule Managment Tool Date: Thu, 10 May 2001 16:03:21 -0400 yea.. it needs ms visual basic runtimes installed. they should be included in win2k. Jeff -----Original Message----- From: shawn . moyer [mailto:shawn () net-connect net] Sent: Thursday, May 10, 2001 3:55 PM To: Cedric Guillotin Cc: Jeff Dell; snort-users () lists sourceforge net Subject: Re: [Snort-users] Rule Managment Tool By the way, I pulled this down, still twiddling with it, but the first thing I noticed is it needs MSCOMCTL.OCX -- I dl'd this from: http://www.microxl.com/wintersasj/download/mscomctl.zip --shawn -- s h a w n m o y e r shawn () net-connect net "May the forces of evil become confused on the way to your house." --George Carlin --__--__-- Message: 8 Date: Thu, 10 May 2001 13:15:30 -0700 From: Kevin Brown <Kevin.M.Brown () asu edu> Subject: RE: [Snort-users] New Conundrum To: snort-users () lists sourceforge net This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D98D.F5EA8F20 Content-Type: text/plain; charset="iso-8859-1" OK, did some more digging and I'm still under the impression that something's not right. I finally figured out that for each sensor it creates a new cid entry in the event table that is unique only against the sid (e.g. if you have 4 sensors logging you could have four rows with a cid of 1000 with a unique sid attached to each). So with that in hand I did a select statement to find the cids for just the sun box and came up with: sid | cid | signature | timestamp -----+--------+-----------+------------------------ 3 | 30 | 424 | 2001-05-09 05:07:40-07 3 | 31 | 424 | 2001-05-09 05:07:40-07 3 | 32 | 668 | 2001-05-14 02:10:41-07 <---- 3 | 33 | 424 | 2001-05-09 05:07:41-07 3 | 34 | 5538 | 2001-05-09 05:07:41-07 3 | 35 | 1250 | 2001-05-14 02:10:42-07 <---- 3 | 36 | 424 | 2001-05-09 05:07:42-07 3 | 37 | 424 | 2001-05-09 05:07:42-07 3 | 38 | 424 | 2001-05-09 05:07:42-07 3 | 39 | 424 | 2001-05-09 05:07:42-07 3 | 40 | 424 | 2001-05-09 05:07:42-07 3 | 41 | 5541 | 2001-01-28 22:19:42-07 <---- 3 | 42 | 1053 | 2001-05-14 02:10:43-07 <---- Notice that the timestamp field jumps around in date even though the Cid of the events are sequential. I don't know where this problem is introduced, but it doesn't seem to have happened to the Linux (RH6.2 kernel 2.2.19) box that was in the wild. -----Original Message----- From: Kevin Brown [mailto:Kevin.M.Brown () asu edu] Sent: Wednesday, May 09, 2001 16:03 To: snort-users () lists sourceforge net Subject: [Snort-users] New Conundrum Got a new little thing I found. I just finished putting that Netra T1 into place to begin testing. I have it logging to the same database as the PII 450 that was out there. I went looking through the database to verify that it is indeed logging and found that the timestamp for the events being logged by the Sun box are 5 days behind today (5/4/2001). I discovered this by just doing a "select timestamp from event where cid = <count of rows>;". The box has the following on it. Solaris 8 psql 7.0.3 (for the shared libs to send data to a remote sql box) snort 1.8b4 (build 14) running date returns the following: Wed May 9 15:58:05 MST 2001 which is only off by a minute or less from current local time. The linux box that had been there (PII 450) last logged a packet at 10:44AM, Wed May 9 which is the time that I shut it down to put the Sun in its place. ------_=_NextPart_001_01C0D98D.F5EA8F20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2653.12"> <TITLE>RE: [Snort-users] New Conundrum</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>OK, did some more digging and I'm still under the = impression that something's not right. I finally figured out that = for each sensor it creates a new cid entry in the event table that is = unique only against the sid (e.g. if you have 4 sensors logging you = could have four rows with a cid of 1000 with a unique sid attached to = each). So with that in hand I did a select statement to find the = cids for just the sun box and came up with:</FONT></P> <P><FONT SIZE=3D2> sid | cid | signature = | = timestamp </FONT> <BR><FONT = SIZE=3D2>-----+--------+-----------+------------------------</FONT> <BR><FONT SIZE=3D2> 3 | 30 | = 424 | 2001-05-09 05:07:40-07</FONT> <BR><FONT SIZE=3D2> 3 | 31 | = 424 | 2001-05-09 05:07:40-07</FONT> <BR><FONT SIZE=3D2> 3 | 32 | = 668 | 2001-05-14 = 02:10:41-07 <----</FONT> <BR><FONT SIZE=3D2> 3 | 33 | = 424 | 2001-05-09 05:07:41-07</FONT> <BR><FONT SIZE=3D2> 3 | 34 | = 5538 | 2001-05-09 05:07:41-07</FONT> <BR><FONT SIZE=3D2> 3 | 35 | = 1250 | 2001-05-14 = 02:10:42-07 <----</FONT> <BR><FONT SIZE=3D2> 3 | 36 | = 424 | 2001-05-09 05:07:42-07</FONT> <BR><FONT SIZE=3D2> 3 | 37 | = 424 | 2001-05-09 05:07:42-07</FONT> <BR><FONT SIZE=3D2> 3 | 38 | = 424 | 2001-05-09 05:07:42-07</FONT> <BR><FONT SIZE=3D2> 3 | 39 | = 424 | 2001-05-09 05:07:42-07</FONT> <BR><FONT SIZE=3D2> 3 | 40 | = 424 | 2001-05-09 05:07:42-07</FONT> <BR><FONT SIZE=3D2> 3 | 41 | = 5541 | 2001-01-28 = 22:19:42-07 <----</FONT> <BR><FONT SIZE=3D2> 3 | 42 | = 1053 | 2001-05-14 = 02:10:43-07 <----</FONT> </P> <P><FONT SIZE=3D2>Notice that the timestamp field jumps around in date = even though the Cid of the events are sequential. I don't know = where this problem is introduced, but it doesn't seem to have happened = to the Linux (RH6.2 kernel 2.2.19) box that was in the wild.</FONT></P> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Kevin Brown [<A = HREF=3D"mailto:Kevin.M.Brown () asu edu">mailto:Kevin.M.Brown () asu edu</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Wednesday, May 09, 2001 16:03</FONT> <BR><FONT SIZE=3D2>To: snort-users () lists sourceforge net</FONT> <BR><FONT SIZE=3D2>Subject: [Snort-users] New Conundrum</FONT> </P> <P><FONT SIZE=3D2>Got a new little thing I found. I just finished = putting that Netra T1 into place to begin testing. I have it = logging to the same database as the PII 450 that was out there. I = went looking through the database to verify that it is indeed logging = and found that the timestamp for the events being logged by the Sun box = are 5 days behind today (5/4/2001). I discovered this by just = doing a "select timestamp from event where cid =3D <count of = rows>;".</FONT></P> <P><FONT SIZE=3D2>The box has the following on it. </FONT> <BR><FONT SIZE=3D2>Solaris 8 </FONT> <BR><FONT SIZE=3D2>psql 7.0.3 (for the shared libs to send data to a = remote sql box) </FONT> <BR><FONT SIZE=3D2>snort 1.8b4 (build 14) </FONT> </P> <P><FONT SIZE=3D2>running date returns the following: Wed May 9 = 15:58:05 MST 2001 </FONT> <BR><FONT SIZE=3D2>which is only off by a minute or less from current = local time. </FONT> </P> <P><FONT SIZE=3D2>The linux box that had been there (PII 450) last = logged a packet at 10:44AM, Wed May 9 which is the time that I shut it = down to put the Sun in its place.</FONT></P> </BODY> </HTML> ------_=_NextPart_001_01C0D98D.F5EA8F20-- --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net http://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ******unsubscribe****** Ryan McClure (Systems Admin) - United Shipping (May 10)
- Re: ******unsubscribe****** shawn . moyer (May 10)
- Re: ******unsubscribe****** Martin Roesch (May 10)
- Re: ******unsubscribe****** shawn . moyer (May 10)