Snort mailing list archives
Problems with AICD seeing Sensors
From: "Allyn Baskerville" <allynb () adsne com>
Date: Wed, 18 Jun 2003 16:19:33 -0500
I sent in a question a few days ago, and I thought it was resolved. I had an older version of Snort with ACID running on RH7.2, which I upgraded to RH9.0. I followed Snort Enterprise Implementation by Steven Scott, with the exception of some newer files and running ACID and SNORT on a single system. After a few responses the first time I experienced this, ACID started seeing the sensor interfaces and logging began working what I thought was due to a reboot. I repeated the installation for a client, and I'm having the same issue. After several hours, I can't seem to find what the problem is. Here are the symptoms... I create a new instance of the sensor in SnortCenter, set the appropriate variables, set the output plug-in, push it onto the sensor and start it. The sensor turns green, but it never logs anything nor does ACID show there is even an active sensor. When I run the commands from the command line, I still don't see any errors. Snort sees the events, though - it just doesn't log them. After manipulating the settings in Snort Center and restarting various services (even rebooting), I still am unable to get any events to appear in ACID for some time. Then mysteriously, the events will start appearing, and the logs are being populated. It sure seems as if communication is broken between Snort and ACID, but I've verified usernames and passwords, database settings, and that the server responds on the proper ports. I currently have all Sensors running, but they go down periodically and I have to manually restart them. I'd appreciate your thoughts on this. Thank you. Allyn The command line is snort -i eth1 -U -o -c /etc/snort/snort.eth1.conf, and the snort.eth1.conf file is as follows: #--------------------------------------------------------------------------- ---- # Snort Configuration file for < ADSSensor1 > # Created with SnortCenter v1.0 RC1 < http://users.pandora.be/larc/ > # $Id: snort.conf, Wednesday 18th of June 2003 10:41:17 PM #--------------------------------------------------------------------------- ---- # Next variable automatic added by SnortCenter, used in some rule(s). var HOME_NET any # Next variable automatic added by SnortCenter, used in some rule(s). var EXTERNAL_NET any # # output database: log, mysql, user=snort password=xxxxxxxx dbname=snort host=ADS-IDS sensor_name=ADSSensor1 # # # # #--------------------------------------------------------------------------- ---- # $Id: classification.config, Wednesday 18th of June 2003 10:41:17 PM #--------------------------------------------------------------------------- ---- # Next classification automatic added by SnortCenter, used in some rule(s). config classification: bad-unknown,Potentially Bad Traffic, 2 # # #--------------------------------------------------------------------------- ---- # $Id: attack-responses.rules, Wednesday 18th of June 2003 10:41:17 PM #--------------------------------------------------------------------------- ---- alert tcp $HOME_NET any -> $EXTERNAL_NET any ( sid: 1292; rev: 7; msg: "ATTACK-RESPONSES directory listing"; flow: from_server,established; content: "Volume Serial Number"; classtype: bad-unknown;) ... When I follow the command line with a -T, the following is returned: [root@ADS-IDS snort]# snort -i eth1 -U -o -c /etc/snort/snort.eth1.conf -T Running in IDS mode Log directory = /var/log/snort Initializing Network Interface eth1 OpenPcap() device eth1 network lookup: eth1: no IPv4 address assigned --== Initializing Snort ==-- Rule application order changed to Pass->Alert->Log Initializing Output Plugins! Decoding Ethernet on interface eth1 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.eth1.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = ADS-IDS database: sensor name = ADSSensor1 database: sensor id = 8 database: schema version = 106 database: using the "log" facility 1 Snort rules read... 1 Option Chains linked into 1 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->pass->activation->dynamic->alert->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.0 (Build 72) By Martin Roesch (roesch () sourcefire com, www.snort.org) Snort sucessfully loaded all rules and checked all rule chains! database: Closing connection to database "snort" Snort exiting [root@ADS-IDS snort]# ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems with AICD seeing Sensors Allyn Baskerville (Jun 18)