Snort mailing list archives
Re: SnortCenter Configuration
From: "Roy S. Rapoport" <snort-users () ols inorganic org>
Date: Fri, 30 May 2003 00:35:58 -0700
On Thu, May 29, 2003 at 11:44:57PM -0700, Roy S. Rapoport wrote:
Is this even the best place to ask Snort Center questions? http://users.pandora.be/larc/index.html doesn't seem to mention any snortcenter-specific mailing lists. I actually had Snort working well in standalone mode, and I'm trying to integrate it into SnortCenter (so I'll initially have SnortCenter manage one agent). SnortCenter and Agent talk well with each other; I've uploaded the config file I was using originally, but I'm having a problem with the rules. Specifically, if I do admin->import/update rules->update from internet, I get "No update this time..." which is not necessarily all that descriptive. Nothing new? Couldn't find anything Dunno. I obviously don't want to hand-enter a whole bunch of different rules. Any suggestions?
I figured out, at least preliminarily, what was going on. On my system, snortcenter was attempting to download the files by using: $fp=popen($curl_path."curl -s $proxyline $snortrules_url 2>/dev/null | tar xzOf - rules/*.rules rules/*.conf rules/*.config", "r"); However, on Solaris tar cannot cope with compressed files. I needed to use gtar (the gnu tar) and fully qualify it. So this: $fp=popen($curl_path."curl -s $proxyline $snortrules_url 2>/dev/null | /usr/local/bin/gtar xzOf - rules/*.rules rules/*.conf rules/*.config", "r"); Worked. Kinda. After running this and having SnortCenter see all the rules, I attempted to do it again for no particularly good reason, and got: Database ERROR:Database ERROR:Unknown column 'byte_jump' in 'field list' Which I suppose makes sense: There are several DB queries that seem to rely on a byte_jump column in uricontent: --- 151 nag /usr/local/snortcenter # grep byte_jump * | grep "SELECT" rules.php: $result_content = $db->acidExecute("SELECT content, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test FROM content WHERE sid='$sid'"); rules.php: $result_uricontent = $db->acidExecute("SELECT uricontent, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test FROM uricontent WHERE sid='$sid'"); sensor.inc.php: $result_content = $db->acidExecute("SELECT content, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test FROM content WHERE sid='$sid'"); sensor.inc.php: $result_uricontent = $db->acidExecute("SELECT uricontent, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test FROM uricontent WHERE sid='$sid'"); sensor_rules.php: $result_content = $db->acidExecute("SELECT content, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test FROM content WHERE sid='$sid'"); sensor_rules.php: $result_uricontent = $db->acidExecute("SELECT uricontent, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test FROM uricontent WHERE sid='$sid'"); r-- But when uricontent is created, it's created thus: CREATE TABLE uricontent ( sid bigint(20) unsigned NOT NULL default '0', uricontent longtext, off_set varchar(4) default NULL, depth varchar(4) default NULL, nocase varchar(6) default NULL, regex varchar(5) default NULL, KEY sid (sid) ) TYPE=MyISAM; So, obviously, you get database errors. I'm hearing of a lot of people happily using SnortCenter. The problems I'm encountering are so darn basic, I'm wondering if there's something fundamentally different or broken about my setup (one possibility for the tar issue is that nobody considered that SnortCenter might be run on a non-BSD/non-Linux system, for example), or if, in fact, someone was just damn sloppy with this latest version of SnortCenter. Thoughts? -roy ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SnortCenter Configuration Roy S. Rapoport (May 30)
- Re: SnortCenter Configuration Roy S. Rapoport (May 30)
- Re: Re: SnortCenter Configuration Joerg Weber (May 30)
- Re: Re: SnortCenter Configuration Roy S. Rapoport (May 30)
- Re: Re: SnortCenter Configuration Joerg Weber (May 30)
- Re: SnortCenter Configuration Joerg Weber (May 30)
- Re: SnortCenter Configuration Roy S. Rapoport (May 30)