Snort mailing list archives
Help
From: Advanced Hosting UNIX Admin Daniel Fairchild <danielf () supportteam net>
Date: Sun, 5 Aug 2001 13:31:39 -0500
I am setting up snort 1.8 for the first time with database mysql logging and snort does not work. Here is my config with ips change :) ---------- MY CONFIG FILE -------------- # Start snort with: # /usr/local/bin/snort -c /etc/snort.d/snort.conf -l /tcplog/snort -D -i eth1 -q # # Network variables. var HOME_NET x.x.128.0/17 x.x.0.0/17 x.x.0.0/17 x.x.160.0/19 x.x.64.0/18 var EXTERNAL_NET any # Servers var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET # Dns servers. var DNS_SERVERS x.x.x.203/32 x.x.128.204/32 x.x.160.10/32 x.x.162.106/32 # detect porscans, connect to 6 ports over 3 seconds preprocessor portscan: $HOME_NET 6 3 portscan.log # Preprocessors preprocessor frag2 preprocessor stream4 preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor bo: -nobrute preprocessor rpc_decode: 111 preprocessor telnet_decode include classification.config # Ignore DNS servers for false portscans preprocessor portscan-ignorehosts: $DNS_SERVERS # Configure output to database. output database: alert, mysql, user=snort password=PASS dbname=snorth ost=localhost detail=full output alert_full: alert # # # RULE SETS TO INCLUDE # # # #include local_rules include DDoS_rules include Sploits_rules include BackDoor_rules include Rservices_rules #include Test_rules --------------- ENS CONFIG -------------- here is the out put from the command: /usr/local/bin/snort -c /etc/snort.d/snort.conf -l /tcplog/snort -i eth0 --------------- OUTPUT ------------------ Log directory = /tcplog/snort --== Initializing Snort ==-- Checking PID path... PATH_VARRUN is set to /var/run/ on this operating system Initializing Network Interface eth0 User level filter, protocol ALL, raw packet socket Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /etc/snort.d/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes No arguments to stream4 directive, setting defaults to: Session timeout: 30 seconds Session memory cap: 8388608 bytes Stateful Inspection: ACTIVE Stream Reassembly: INACTIVE Stream Stats: INACTIVE State Alerts: ACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Back Orifice detection brute force: DISABLED Using LOCAL time UnifiedAlertFilename = snort.alert Opening /tcplog/snort/0805 () 1326-snort log 909 Snort rules read... 909 Option Chains linked into 145 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 1.8-RELEASE (Build 43) By Martin Roesch (roesch () sourcefire com, www.snort.org) ----------------- ENS OUTPUT ------------------- My mysql works frin frm the command line the libs for it are in ld.so.conf and ldconfig was run after making that change. Even if I remove the output database: line I get nothing even though I pound on the server with tools that should be setting off alarms. what else can i sed you guys so you can hopefuly help me here. thanks -- Advanced Hosting UNIX Admin | Daniel Fairchild danielf () supportteam net Unix is like a wigwam -- no Gates, no Windows, and an Apache inside. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users