Snort mailing list archives
Re: Snort, php, MySQL and acid showing no activity
From: "Joshua Rogers" <josh () ipws com>
Date: Fri, 23 Aug 2002 14:52:19 -0600
Hi All, Erek Adams, answers to your questions are below. Rafeeq Ur Rehman, I have not yet tested your idea. Demetri Mouratis, I will get to your questions next. Thanks everyone so far!
From / To Gammon McClure: Not to be asking stupid questions, but are you in a switched environment?
Yes, we are in a switched enviroment. We are running an HP 4000M which allows me to mirror all traffic (on a given vlan) to a specific port, which I have done. Not a stupid question, but I caught that issue in the docs.
can you get alerts to the console (other than broadcast) running just
snort -dv Yes, here is the output. Similar output on 'snort -vade' but I did not copy it here. Snort analyzed 69 out of 69 packets, The kernel dropped 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 69 (100.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) ============================================================================ === Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 ============================================================================ === TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Stream Trackers: 0 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0 ============================================================================ === ***AP*** Seq: 0xF73F77E3 Ack: 0x2831E46D Win: 0xAB20 TcpLen: 20 Snort received signal 2, exiting
From /To Erek Adams: Try this:
* Verify that snort is working. 'snort -vade' should show traffic on your
network. It works and shows traffic on the network. I copied some output above.
* Check your snort.conf. Check HOME_NET and EXTERNAL_NET, to be sure they are set for the correct ranges.
I have the HOME_NET set for each class c; var HOME_NET [63.229.251.0/24,65.101.195.0/24,65.103.101.0/24,65.125.152.0/23] but my EXTERNAL_NET is set like this: var EXTERNAL_NET $HOME_NET Should external net say 'any'?
* If the MySQL host and snort host are different, make sure you can connect from one to the other.
The MySQL host and snort are on the same machine. Thanks, Joshua Rogers Webmaster InterPlanetary Web Services 303-940-2597 IBO# 60092 ----- Original Message ----- From: "McClure Gammon" <gammon.mcclure () volvo com> To: "'Joshua Rogers'" <josh () ipws com>; <Snort-users () lists sourceforge net> Sent: Friday, August 23, 2002 1:59 PM Subject: RE: [Snort-users] Snort, php, MySQL and acid showing no activity
Joshua, Not to be asking stupid questions, but are you in a switched environment?
(Keep in mind some "hubs" are really switches.) If so, you'll need to span or mirror ports of interest to the port where snort is plugged in. Easiest way to debug this is to start simple - can you get alerts to the console (other than broadcast) running just snort -dv if all you see are broadcasts, you're switched. If you see other stuff, we can get more complicated.
Gammon -----Original Message----- From: Joshua Rogers [mailto:josh () ipws com] Sent: Friday, August 23, 2002 2:50 PM To: Snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort, php, MySQL and acid showing no activity Ok, I ran 'nmap -v -sS -O <server ip>' on the snort machine and on another server. Both tests did not show up in the acid console and nothing in the MySQL db. There is also nothing showing up in the portscan log file. I am guessing I missed something in the setup. Thanks, Joshua Rogers Webmaster InterPlanetary Web Services 303-940-2597 IBO# 60092 ----- Original Message ----- From: "Demetri Mouratis" <dmourati () cm math uiuc edu> To: "Randy Bey" <Randy.Bey () rivernorthsys com> Cc: <Snort-users () lists sourceforge net> Sent: Friday, August 23, 2002 11:33 AM Subject: RE: [Snort-users] Snort, php, MySQL and acid showing no activityNmap is a easier and faster in that it doesn't require client/server setup: http://www.insecure.org HTH On Fri, 23 Aug 2002, Randy Bey wrote:Oh yes, you need to do something to trigger a rule. I usually just run
a
quick Nessus(tm) scan; that does it for me. If there are faster, easier ways to trip a rule, please someone let me know. Randy Bey RiverNorth Systems 7300 W 147th St Suite 300 Apple Valley, MN 55124 http://www.rivernorthsys.com -----Original Message----- From: Joshua Rogers [mailto:josh () ipws com] Sent: Friday, August 23, 2002 10:24 AM To: Snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort, php, MySQL and acid showing no activity I just tried: /usr/local/bin/snort -c /etc/snort/snort.conf -D from
the
command line. It created an additional sensor, but still no activity
in
the db. Do I need to create any alerts? It seems that I can not create a useful alert until I have a traffic pattern to base it on. Am I correct in
this
assumption? Thanks, Joshua Rogers Webmaster InterPlanetary Web Services 303-940-2597 IBO# 60092 ----- Original Message ----- From: "Randy Bey" <Randy.Bey () rivernorthsys com> To: "Joshua Rogers" <josh () ipws com>;
<Snort-users () lists sourceforge net>
Sent: Friday, August 23, 2002 9:31 AM Subject: RE: [Snort-users] Snort, php, MySQL and acid showing no activity Have you made sure you aren't using any -A switches on your snort command line? It should be as simple as: /usr/local/bin/snort -c /etc/snort/snort.conf -D Randy Bey RiverNorth Systems 7300 W 147th St Suite 300 Apple Valley, MN 55124 http://www.rivernorthsys.com -----Original Message----- From: Joshua Rogers [mailto:josh () ipws com] Sent: Thursday, August 22, 2002 4:28 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] Snort, php, MySQL and acid showing no activity Hi, I do not know what information will be helpful in showing me how to track down a problem on my system, but here goes. I am running: Red Hat Linux 7.3 with the latest updates PHP 4.2.1, register globals=on Apache 1.3.26 MySQL 3.23.39 GD 1.6.2 The latest acid BCMath I followed the great doc on setting up snort-rh7-mysql, from the snort website. I had to make a few changes since I am running 7.3 and did
not
have all of the drive space shown in the doc. Somewhere along the line I think I missed something. Snort and MySQL seems to be running, the acid interface comes up fine with no errors but there is no data that shows up in the database or in the acid interface. What information would you need to help point me in the right
direction
to get snort recording data? Thanks, Joshua Rogers Webmaster InterPlanetary Web Services 303-940-2597 IBO# 60092 ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=urceforge1&refcode1=3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _________________________--------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort, php, MySQL and acid showing no activity, (continued)
- Re: Snort, php, MySQL and acid showing no activity Joshua Rogers (Aug 23)
- RE: Snort, php, MySQL and acid showing no activity Randy Bey (Aug 23)
- RE: Snort, php, MySQL and acid showing no activity Demetri Mouratis (Aug 23)
- Re: Snort, php, MySQL and acid showing no activity Joshua Rogers (Aug 23)
- Re: Snort, php, MySQL and acid showing no activity Demetri Mouratis (Aug 23)
- RE: Snort, php, MySQL and acid showing no activity Rafeeq Ur Rehman (Aug 23)
- Re: Snort, php, MySQL and acid showing no activity Erek Adams (Aug 23)
- Re: Snort, php, MySQL and acid showing no activity Jim Burwell (Aug 23)
- RE: Snort, php, MySQL and acid showing no activity Demetri Mouratis (Aug 23)
- Re: Snort, php, MySQL and acid showing no activity Phil Wood (Aug 23)
- RE: Snort, php, MySQL and acid showing no activity McClure Gammon (Aug 23)
- Re: Snort, php, MySQL and acid showing no activity Joshua Rogers (Aug 23)
- Re: Snort, php, MySQL and acid showing no activity Erek Adams (Aug 23)
- Re: Snort, php, MySQL and acid showing no activity Joshua Rogers (Aug 23)
- Re: Snort, php, MySQL and acid showing no activity Joshua Rogers (Aug 23)
- Re: Snort, php, MySQL and acid showing no activity Joshua Rogers (Aug 23)
- Re: Snort, php, MySQL and acid showing no activity Joshua Rogers (Aug 23)