Snort mailing list archives
RE: Snort-users digest, Vol 1 #890 - 10 msgs
From: "Milton Sullivan" <miltonsullivan () yahoo com>
Date: Mon, 6 Aug 2001 22:21:53 -0700
Sam, Just for shits and giggles, go into Internet Options (for MSIE) and under the advanced tab, unselect the "Use HTTP 1.1" option. Then try and visit the site again. This should force an HTTP/1.0 conncection. Also, try playing around with the 3 options labeled "Use SSL 2", "Use SSL 3", and "Use TLS 1.0" Try and see if any different combinations of those make a difference. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort-users-request () lists sourceforge net Sent: Monday, August 06, 2001 7:56 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #890 - 10 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit http://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Snort & Firewall (Stephen Torri) 2. Re: Snort Dumps.... (George D. Nincehelser) 3. ACID and ICMP (James Kelty) 4. need help (Eduard Meiler) 5. snort-1.8 and mysql timestamp problem... (Michael Teng) 6. Re: Cmd.exe requests (Jason) 7. Re: Cmd.exe requests (Ryan Russell) 8. Re: ACID and MySQL questions (roman () danyliw com) 9. RE: ACID and MySQL questions (Jason Lewis) 10. libnet.h missing error when makeing under RHAT7.1 (Jim Hankins) --__--__-- Message: 1 Date: Mon, 6 Aug 2001 19:02:30 -0400 (EDT) From: Stephen Torri <storri () ameritech net> To: John Sage <jsage () finchhaven com> cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort & Firewall On Mon, 6 Aug 2001, John Sage wrote:
I am running snort 1.8.1-beta4 on my ipchains-based Linux firewall box and it works just fine. I'm using ppp via a (conventional) modem, and if I understand ppp correctly, the concept of "promiscuous" is not relevant. ppp is point-to-point, so on both ends of that connection are handling only packets specific to that connection (which isn't to say you
mayn't
get some broadcast or multicast packets, but even they should be *for* you...)
I am satisfied with the firewall. What my concern was first if the NIC is in promiscuous mode would that be a problem? Which to that you are not concerned. You state that because PPP by its nature only works for one IP address, mine. Yet with a typical NIC on a ethernet based network I get traffic which is not for me being in promiscuous mode. How are they different? Just trying to understand the comparison. Is the other end of the link for the connection (my ISP) filtered so that only I get traffic "for" me?
2) If I can which will pick up an incoming packet first, snort or
the
firewall (ipchains)?My experience is that snort sees everything ipchains does, and ipchain sees what comes in and does what it's supposed to...
So if snort notices an attack of a particular type it can update ipchains to protect the network from this new attack as well. Right? For example if an attack of type A is noticed, a rule is added to the ipchains to prevent said ip address from continuing to attack the service (i.e. HTTP on port 80). Stephen --__--__-- Message: 2 Date: Mon, 06 Aug 2001 18:04:43 -0500 From: "George D. Nincehelser" <george () ccitriad net> Subject: Re: [Snort-users] Snort Dumps.... To: JSeddon () semtech com, snort-users () lists sourceforge net I've been having the same problem on a similar Linux setup. (Redhat 7.1, Pentium II, 400 MHz) Originally I tried the RPM. It dumped too often. Fyodor suggested I try the source instead. I compiled 1.8p1. That worked well from yesterday afternoon, but then started dumping this morning. I think it may be load related. I'm now trying the recently announced new beta (1.8.1 beta 6) with my fingers crossed. George ----- Original Message ----- From: <JSeddon () semtech com> To: <snort-users () lists sourceforge net> Sent: Monday, August 06, 2001 4:22 PM Subject: [Snort-users] Snort Dumps....
This is the first time I've used used this list to troubleshoot a core
dump
so point me right if I'm screwing it up. I'm running snort1.8 on a RedHat7.1 box. Snort runs great for anywhere from 1-5 hours but never longer. Then it dumps a core. I've followed the FAQ procedure and
here's
the gdb output. Is there anything else I can forward that will help
us
figure this out?
James
GNU gdb 5.0rh-5 Red Hat Linux 7.1
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License,
and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty"
for
details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `snort -c /etc/snort/snort.conf -d -D -o -h
204.216.171.0/24'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/i686/libm.so.6...done.
Loaded symbols for /lib/i686/libm.so.6
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /usr/lib/libssl.so.1...done.
Loaded symbols for /usr/lib/libssl.so.1
Reading symbols from /usr/lib/libcrypto.so.1...done.
Loaded symbols for /usr/lib/libcrypto.so.1
Reading symbols from /lib/i686/libc.so.6...done.
Loaded symbols for /lib/i686/libc.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_nisplus.so.2...done.
Loaded symbols for /lib/libnss_nisplus.so.2
#0 0x08052981 in mSearch (
buf=0x402b02db "MC_COOKIETEST=YES\r\n\r\nC_IN min 12v <>
load_I_min",
blen=65510, ptrn=0x8465f90 ".ewl", plen=4, skip=0x8465fa0,
shift=0x84663a8)
at mstring.c:506
---Type <return> to continue, or q <return> to quit---
506 }
(gdb) where
#0 0x08052981 in mSearch (
buf=0x402b02db "MC_COOKIETEST=YES\r\n\r\nC_IN min 12v <>
load_I_min",
blen=65510, ptrn=0x8465f90 ".ewl", plen=4, skip=0x8465fa0,
shift=0x84663a8)
at mstring.c:506
#1 0x08058c06 in CheckUriPatternMatch (p=0xbffff290,
otn_idx=0x84654b0,
fp_list=0x84663c0) at sp_pattern_match.c:873
#2 0x0805614f in EvalOpts (List=0x81196f0, p=0xbffff290) at
rules.c:4026
#3 0x08055e89 in EvalHeader (rtn_idx=0x80fa3e8, p=0xbffff290) at
rules.c:3745
#4 0x08055e14 in EvalPacket (List=0x809ed18, mode=2,
p=0xbffff290)
at rules.c:3673
#5 0x08055c90 in Detect (p=0xbffff290) at rules.c:3565
#6 0x08055ac7 in Preprocess (p=0xbffff290) at rules.c:3433
#7 0x0804b4ff in ProcessPacket (user=0x0, pkthdr=0xbffff780,
pkt=0x402b0042 "") at snort.c:512
#8 0x08077426 in packet_ring_recv () at eval.c:41
#9 0x0807774f in pcap_read () at eval.c:41
#10 0x080783ff in pcap_loop () at eval.c:41
#11 0x0804c8b0 in InterfaceThread (arg=0x0) at snort.c:1441
#12 0x0804b3cf in main (argc=8, argv=0xbffff9d4) at snort.c:445
#13 0x40161177 in __libc_start_main (main=0x804ad70 <main>,
argc=8,
ubp_av=0xbffff9d4, init=0x804a23c <_init>, fini=0x8081df0
<_fini>,
rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbffff9cc)
at ../sysdeps/generic/libc-start.c:129
(gdb) bt
#0 0x08052981 in mSearch (
buf=0x402b02db "MC_COOKIETEST=YES\r\n\r\nC_IN min 12v <>
load_I_min",
blen=65510, ptrn=0x8465f90 ".ewl", plen=4, skip=0x8465fa0,
shift=0x84663a8)
at mstring.c:506
#1 0x08058c06 in CheckUriPatternMatch (p=0xbffff290,
otn_idx=0x84654b0,
fp_list=0x84663c0) at sp_pattern_match.c:873
#2 0x0805614f in EvalOpts (List=0x81196f0, p=0xbffff290) at
rules.c:4026
#3 0x08055e89 in EvalHeader (rtn_idx=0x80fa3e8, p=0xbffff290) at
rules.c:3745
#4 0x08055e14 in EvalPacket (List=0x809ed18, mode=2,
p=0xbffff290)
at rules.c:3673
#5 0x08055c90 in Detect (p=0xbffff290) at rules.c:3565
#6 0x08055ac7 in Preprocess (p=0xbffff290) at rules.c:3433
#7 0x0804b4ff in ProcessPacket (user=0x0, pkthdr=0xbffff780,
pkt=0x402b0042 "") at snort.c:512
#8 0x08077426 in packet_ring_recv () at eval.c:41
#9 0x0807774f in pcap_read () at eval.c:41
#10 0x080783ff in pcap_loop () at eval.c:41
#11 0x0804c8b0 in InterfaceThread (arg=0x0) at snort.c:1441
#12 0x0804b3cf in main (argc=8, argv=0xbffff9d4) at snort.c:445
#13 0x40161177 in __libc_start_main (main=0x804ad70 <main>,
argc=8,
ubp_av=0xbffff9d4, init=0x804a23c <_init>, fini=0x8081df0
<_fini>,
rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbffff9cc)
at ../sysdeps/generic/libc-start.c:129
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 3 Date: Mon, 06 Aug 2001 20:39:50 -0700 From: James Kelty <jamesk () ashlandagency com> To: snort-users () lists sourceforge net Subject: [Snort-users] ACID and ICMP Forgive me if this has be hashed and re-hashed alrady, but I just installed the latest versions of Snort, and ACID. ACID seems to be working well. I notices my two sensors, but the problem is, All I get are ICMP destination unreachable messages logged. No TCP no UDP no portscans. I fired up nmap against one system and I got the same thing. I am used to the 1.7 version logging all kinds of info when I run: $ nmap -O -p1-65535 -sT host But not this time. Any help would be appreciated! Thanks -James -- James Kelty Sr. Unix Systems Administrator The Ashland Agency 541.488.0801 jamesk () ashlandagency com --__--__-- Message: 4 From: "Eduard Meiler" <edik () meiler org> To: <snort-users () lists sourceforge net> Date: Tue, 7 Aug 2001 02:07:39 +0200 Subject: [Snort-users] need help Hallo, I have a problem with a log. Can somebody tell what happend with my system at Aug 6 13.48.00 and 14.17.00 , when somebody tried to log in via ftp. Did this person installed something on my system ? How can I see why my system made a reboot at 13.17. ? waiting for help regards eduard Aug 6 08:47:12 wall pppd[23359]: Local IP address changed to 217.5.91.5 Aug 6 08:47:13 wall pppoe[27033]: Bad TCP checksum 1 Aug 6 09:00:00 wall kernel: Sorry: masquerading timeouts set 5DAYS/2MINS/60SECS Aug 6 09:00:00 wall pppd[27104]: not replacing default route to ppp0 [193.158.131.29] Aug 6 09:10:05 wall sendmail[27130]: gethostbyaddr(10.64.64.65) failed: 1 Aug 6 08:47:12 wall pppd[23359]: Local IP address changed to 217.5.91.5 Aug 6 08:47:13 wall pppoe[27033]: Bad TCP checksum 1 Aug 6 09:00:00 wall kernel: Sorry: masquerading timeouts set 5DAYS/2MINS/60SECS Aug 6 09:00:00 wall pppd[27104]: not replacing default route to ppp0 [193.158.131.29] Aug 6 09:10:05 wall sendmail[27130]: gethostbyaddr(10.64.64.65) failed: 1 Aug 6 13:17:13 wall kernel: ip_conntrack (1023 buckets, 8184 max) Aug 6 13:17:24 wall squid[733]: Starting Squid Cache version 2.3.STABLE4-hno.CVS for i686-pc-linux-gnu... Aug 6 13:17:13 wall kernel: product code 4347 rev 00.12 date 01-29-00 Aug 6 13:17:13 wall kernel: 8K byte-wide RAM 5:3 Rx:Tx split, autoselect/Autonegotiate interface. Aug 6 13:17:13 wall kernel: MII transceiver found at address 24, status 786d. Aug 6 13:17:13 wall kernel: Enabling bus-master transmits and whole-frame receives. Aug 6 13:17:13 wall kernel: eth1: scatter/gather disabled. h/w checksums enabled Aug 6 13:17:13 wall kernel: eth0: using NWAY device table, not 8 Aug 6 13:17:13 wall kernel: IPv6 v0.8 for NET4.0 Aug 6 13:17:13 wall kernel: IPv6 over IPv4 tunneling driver Aug 6 13:17:15 wall kernel: Installing knfsd (copyright (C) 1996 okir () monad swb de). Aug 6 13:17:24 wall kernel: eth1: using NWAY device table, not 8 Aug 6 13:17:13 wall kernel: product code 4347 rev 00.12 date 01-29-00 Aug 6 13:17:13 wall kernel: 8K byte-wide RAM 5:3 Rx:Tx split, autoselect/Autonegotiate interface. Aug 6 13:17:13 wall kernel: MII transceiver found at address 24, status 786d. Aug 6 13:17:13 wall kernel: Enabling bus-master transmits and whole-frame receives. Aug 6 13:17:13 wall kernel: eth1: scatter/gather disabled. h/w checksums enabled Aug 6 13:17:13 wall kernel: eth0: using NWAY device table, not 8 Aug 6 13:17:13 wall kernel: IPv6 v0.8 for NET4.0 Aug 6 13:17:13 wall kernel: IPv6 over IPv4 tunneling driver Aug 6 13:17:15 wall kernel: Installing knfsd (copyright (C) 1996 okir () monad swb de). Aug 6 13:17:24 wall kernel: eth1: using NWAY device table, not 8 Aug 6 13:48:00 wall proftpd[898]: connect from 217.5.68.153 (217.5.68.153) Aug 6 13:48:00 wall proftpd[898]: wall.gelbart.de (pD9054499.dip.t-dialin.net[217.5.68.153]) - FTP session opened. Aug 6 13:48:00 wall proftpd[898]: wall.gelbart.de (pD9054499.dip.t-dialin.net[217.5.68.153]) - no such user 'anonymous' Aug 6 13:48:01 wall last message repeated 4 times Aug 6 13:48:01 wall proftpd[898]: wall.gelbart.de (pD9054499.dip.t-dialin.net[217.5.68.153]) - USER anonymous: no such user found from pD9054499.dip.t-dialin.net [217.5.68.153] to 217.5.91.17:21 Aug 6 13:48:01 wall proftpd[898]: wall.gelbart.de (pD9054499.dip.t-dialin.net[217.5.68.153]) - FTP session closed. Aug 6 14:17:27 wall proftpd[1006]: connect from 217.5.68.153 (217.5.68.153) Aug 6 14:17:27 wall proftpd[1006]: wall.gelbart.de (pd9054499.dip.t-dialin.net[217.5.68.153]) - FTP session opened. Aug 6 14:17:27 wall proftpd[1006]: wall.gelbart.de (pd9054499.dip.t-dialin.net[217.5.68.153]) - no such user 'anonymous' Aug 6 14:17:27 wall last message repeated 4 times Aug 6 14:17:27 wall proftpd[1006]: wall.gelbart.de (pd9054499.dip.t-dialin.net[217.5.68.153]) - USER anonymous: no such user found from pd9054499.dip.t-dialin.net [217.5.68.153] to 217.5.91.17:21 Aug 6 14:17:27 wall proftpd[1006]: wall.gelbart.de (pd9054499.dip.t-dialin.net[217.5.68.153]) - FTP session closed. --__--__-- Message: 5 Date: 6 Aug 2001 17:29:16 -0700 To: snort-users () lists sourceforge net From: Michael Teng <mteng () altavista com> Subject: [Snort-users] snort-1.8 and mysql timestamp problem... I have snort-1.8 and mysql 3.23.40 running on Sparc Solaris 2.51 and when the entries are logged into the database the timestamp is always 0000-00-00 00:00:00. Is anyone else having a problem with this? All other entries in the database are okay except for the timestamp. The alert file has the correct timestamp but somehow these timestamps are not correctly logged into the database. I go into mysql and look at the entries for event: select * from event limit 0,2; and the timestamps are still zeros. I've read that the timestamp is generated once the entry is created but in my case the timestamp is not created. Any thoughts?? Find the best deals on the web at AltaVista Shopping! http://www.shopping.altavista.com --__--__-- Message: 6 Date: Mon, 6 Aug 2001 20:30:44 -0400 (EDT) From: Jason <jason () tcpipbitch net> To: Tom Sevy <tsevy () epx com> cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Cmd.exe requests What I believe this is.. is those people that have 0 ethics attempting to exploit the results of the code red 3 worm. Today alone I have seen 800+ attempts (on an apache server) with code red 3, which copies cmd.exe to the scripts directory of IIS. So, basically what happens is all 800+ of those attempts were comprimised machines that I KNOW could be exploitable using the cmd.exe exploit. So basically, its a few (most likely alot more then a few) individuals are watching for attempts against their web servers via the code red v3 worm, then turning around and attempting to exploit the cmd.exe vulnerability. It could also be a script someone created, as from what you posted, you don't seem to be vulnerable, hense your IP would never have appeared in anyones logs..... But this is just pure conjecture from the trends I have noticed lately. Jason On Mon, 6 Aug 2001, Tom Sevy wrote:
Does the following payload indicate any known worm? Or just a cmd.exe attempt? I have been seeing a lot of these. Generated by ACID v0.9.6b13 on Mon August 06, 2001 15:03:52
------------------------------------------------------------------------ ----
--
#(1 - 61331) [2001-08-03 15:55:03] WEB-IIS cmd.exe access
IPv4: 63.202.158.22 -> 208.248.231.103
hlen=5 TOS=0 dlen=106 ID=52091 flags=0 offset=0 TTL=241
chksum=10193
TCP: port=33837 -> dport: 80 flags=***AP*** seq=2524555147
ack=14124627 off=5 res=0 win=8760 urp=0 chksum=32756
Payload: length = 62
000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET
/scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D
c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69
32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__--
Message: 7
Date: Mon, 6 Aug 2001 18:50:44 -0600 (MDT)
From: Ryan Russell <ryan () securityfocus com>
To: Jason <jason () tcpipbitch net>
cc: Tom Sevy <tsevy () epx com>, <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Cmd.exe requests
The CodeRed II worm sets off the cmd.exe rule. People attempting to
exploit it would be after root.exe, not cmd.exe, most likely.
Ryan
On Mon, 6 Aug 2001, Jason wrote:
What I believe this is.. is those people that have 0 ethics attempting
to
exploit the results of the code red 3 worm. Today alone I have seen 800+ attempts (on an apache server) with code
red
3, which copies cmd.exe to the scripts directory of IIS. So,
basically
what happens is all 800+ of those attempts were comprimised machines
that
I KNOW could be exploitable using the cmd.exe exploit. So basically,
its
a few (most likely alot more then a few) individuals are watching for attempts against their web servers via the code red v3 worm, then
turning
around and attempting to exploit the cmd.exe vulnerability. It could
also
be a script someone created, as from what you posted, you don't seem
to be
vulnerable, hense your IP would never have appeared in anyones
logs.....
But this is just pure conjecture from the trends I have noticed
lately.
Jason On Mon, 6 Aug 2001, Tom Sevy wrote:Does the following payload indicate any known worm? Or just a
cmd.exe
attempt? I have been seeing a lot of these. Generated by ACID v0.9.6b13 on Mon August 06, 2001 15:03:52
------------------------------------------------------------------------ ----
-- #(1 - 61331) [2001-08-03 15:55:03] WEB-IIS cmd.exe access IPv4: 63.202.158.22 -> 208.248.231.103 hlen=5 TOS=0 dlen=106 ID=52091 flags=0 offset=0 TTL=241
chksum=10193
TCP: port=33837 -> dport: 80 flags=***AP*** seq=2524555147 ack=14124627 off=5 res=0 win=8760 urp=0 chksum=32756 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET
/scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D
c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69
32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r
HTTP/1.0....
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 8 To: <jlewis () packetnexus com> Cc: snort-users () lists sourceforge net From: roman () danyliw com Subject: Re: [Snort-users] ACID and MySQL questions Date: Mon, 6 Aug 2001 21:14:46 US/Eastern Hi Jason,
I am using the archive DB function in ACID. I don't see a link in
ACID that
will let you view the archive. I just copied the ACID files into a
second
directory and pointed the acid_conf to the archive db. My question
is....Is
that the only way to do it? Or is there something I missed? BTW, I
am
happy with the latest ACID build b13.
The archive database is no different than the "active" alert databaase. Hence, there is no special mechanism by which to view it.
Next question.... I can't find any info on what exactly a snort sensor
that
is not running MySQL needs in the way of MySQL libraries to be able to
log
to a central MySQL DB server. Can I get away with installing the
MySQL
client? So far I have been doing full blown installs of MySQL on each sensor. Anyone doing something different?
I have not confirmed this, but I suspect that
in order to perform remote DB logging only the
Mysql-devel library would be necessary.
cheers,
Roman
---------------------------------------------
This message was sent using Voicenet WebMail.
http://www.voicenet.com/webmail/
--__--__--
Message: 9
Reply-To: <jlewis () packetnexus com>
From: "Jason Lewis" <jlewis () packetnexus com>
To: <roman () danyliw com>, <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] ACID and MySQL questions
Date: Mon, 6 Aug 2001 21:41:17 -0400
What exactly is the goal of the archive feature?
I actually have several "instances" of ACID. I have one that is
read-only
for general security team use. I have one with delete rights, so I can
keep
the DB manageable. The last one is configured to view the archive where
I
move interesting data.
Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of
roman () danyliw com
Sent: Monday, August 06, 2001 5:15 PM
To: jlewis () packetnexus com
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] ACID and MySQL questions
Hi Jason,
I am using the archive DB function in ACID. I don't see a link in
ACID that
will let you view the archive. I just copied the ACID files into a
second
directory and pointed the acid_conf to the archive db. My question
is....Is
that the only way to do it? Or is there something I missed? BTW, I
am
happy with the latest ACID build b13.
The archive database is no different than the "active" alert databaase. Hence, there is no special mechanism by which to view it.
Next question.... I can't find any info on what exactly a snort sensor
that
is not running MySQL needs in the way of MySQL libraries to be able to
log
to a central MySQL DB server. Can I get away with installing the
MySQL
client? So far I have been doing full blown installs of MySQL on each sensor. Anyone doing something different?
I have not confirmed this, but I suspect that
in order to perform remote DB logging only the
Mysql-devel library would be necessary.
cheers,
Roman
---------------------------------------------
This message was sent using Voicenet WebMail.
http://www.voicenet.com/webmail/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__--
Message: 10
Date: Mon, 06 Aug 2001 22:54:50 -0400
From: Jim Hankins <jhankins () hankinsbay com>
To: "snort-users () lists sourceforge net"
<snort-users () lists sourceforge net>
Subject: [Snort-users] libnet.h missing error when makeing under RHAT7.1
Newby question, when making I get the error libnet.h missing. Which
package do I need to resolve this and where do I get it. I don't have
the file on the system.
--
Jim Hankins
http://www.hankinsbay.com
jhankins () hankinsbay com
810-716-8480
--__--__--
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
http://lists.sourceforge.net/lists/listinfo/snort-users
End of Snort-users Digest
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort-users digest, Vol 1 #890 - 10 msgs Milton Sullivan (Aug 06)