Snort mailing list archives
Mysql, log and portscan..
From: "Marco A. mateos" <specka () specka com>
Date: 11 Jan 2003 21:20:36 +0100
Hello, I'm a new user from snort 1.9.0 on redhat 7.2 (snort+snort+ACID) I have a problem and don't see solution. In my case, I want to have the log / var/log/snort and also to send the logs to mysql. In my file snort.conf has: var HOME_NET $eth0_ADDRESS var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET 207.218.223.134 207.218.192.38 #var RULE_PATH ./ var SHELLCODE_PORTS !80 var HTTP_PORTS 80 var ORACLE_PORTS 1521 preprocessor frag2 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log # This derective not know wht I can use #preprocessor portscan-ignorehosts output alert_syslog: LOG_AUTH LOG_ALERT #output log_tcpdump: snort.log output database: alert, mysql, user=myuser dbname=snort host=localhost password=mypass include classification.config include bad-traffic.rules include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include smtp.rules include rpc.rules include rservices.rules include dos.rules include ddos.rules include dns.rules include tftp.rules include web-cgi.rules include web-coldfusion.rules include web-iis.rules include web-frontpage.rules include web-misc.rules include web-attacks.rules include sql.rules include x11.rules include icmp.rules include netbios.rules include misc.rules include attack-responses.rules include backdoor.rules include shellcode.rules include policy.rules include porn.rules include info.rules include icmp-info.rules include virus.rules include local.rules And in the file snort init: . /etc/rc.d/init.d/functions INTERFACE=eth0 # See how we were called. case "$1" in start) echo -n "Starting snort: " cd /var/log/snort ##################################################################### ### This line change activitie That write to log /var/log/snort/alert daemon /usr/sbin/snort -A full -b -l /var/log/snort -d -D \ -i $INTERFACE -c /etc/snort/snort.conf ##################################################################### ## If delete -A full -b Write to mysql database snort ##################################################################### touch /var/lock/subsys/snort echo ;; stop) echo -n "Stopping snort: " killproc snort rm -f /var/lock/subsys/snort echo ;; restart) $0 stop $0 start ;; status) status snort ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 esac exit 0 Neither it works. The logs goes to the text file, or to mysql. In any case I am able to see scan of ports, and for another tool I am certain that I have them (portsentry). I like write log to alert and portscan also because I like send with extractor 4.0 to https://analyzer.securityfocus.com/. All to mysql database for see with ACID. All afternoon, work with this. Thanks for you help. My english it's bad. -- Marco A. Mateos - Linux User: 209189 www.lomejordeinternet.net / specka.com graficas.lomejordeinternet.net - Portal de Artes Gráficas hosting.lomejordeinternet.net - Hosting, housing y consultoria specka () quitaesto specka com / ICQ: 172542875 Clave Pública disponible en pgp.rediris.es
Attachment:
signature.asc
Description: Esta parte del mensaje esta firmada digitalmente
Current thread:
- Mysql, log and portscan.. Marco A. mateos (Jan 11)
- <Possible follow-ups>
- RE: Mysql, log and portscan.. L. Christopher Luther (Jan 13)