Snort mailing list archives
Re: No output to ACID
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Tue, 15 Apr 2003 14:25:53 +0200
That looks good to me.Now run Snort without the -T (test) switch, of course, but with -D (background deamon).
The configuration file is now important. It is easy to make some alerts with nmap if you use the strem4 preprocessor to detect scans (detect_scans) and the SYN-FIN-scan with nmap. Turn on the syslog plugin too, and watch your /var/log/messages. If you do the connect-scan with nmap and the portscan(2) preprocessor is turned off, no alerts will come up. Turn everything on for the beginning and tune your config down then. Sorry telling you that, but now the hard part is comming: The configuration. Have fun, Edin Jill Tovey wrote:
okay, I have redone the privileges, and seem to be getting somewhere, the output I get from snort -v -c /etc/snort/snort.conf -T -i eth0 is now: Log directory = /var/log/snort Initializing Network Interface eth0 --== Initializing Snort ==-- Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Reassembly method: FAVOR_OLD database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = 192.168.0.2 Node unique name is: 192.168.0.2 database: sensor name = 192.168.0.2 database: sensor id = 1 database: schema version = 106 database: using the "alert" facility 1604 Snort rules read... 1604 Option Chains linked into 176 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.7 (Build 128) By Martin Roesch (roesch () sourcefire com, www.snort.org) Snort sucessfully loaded all rules and checked all rule chains! database: Closing mysql connection to database "snort" The acid interface still seems to be empty though, is that because I just don't have anything to report yet? I just did an nmap scan on 192.168.0.2 but nothing has shown up. On Tue, 2003-04-15 at 12:36, Edin Dizdarevic wrote:Hi, login in MySQL and grant your user access to the DB-tables. That is done with something like this:GRANT privileges on <DB>.<table> to 'user'@'host' identified by 'password';For ex.GRANT ALL on snort.* to 'snortlogger'@'192.168.0.2' identified by 'your_secret_and_long_pw';privileges may be=SELECT, UPDATE, ALTER, ... MySQL-DB=snort user=snortlogger host=192.168.0.2 password=your_secret_and_long_pw I would rather use IPs instead of hostnames, since they may change more often. Remember: That user is then able to delete the alerts too and that may be not what you want. Check the ACID docs in order to learn more about that. I will give you one more hint: This is how you revoke grants: REVOKE privileges on <DB>.<table> from 'user'@'host'; Regards, Edin Jill Tovey wrote:Hi Edin, Yes, I created the DB and tables with the latest create_mysql scripts.> ... -- Edin Dizdarevic
-- Edin Dizdarevic Networking Unit Internet- & e-Security iAS interActive Systems Gesellschaft fuer interaktive Medien mbH Dieffenbachstr. 33c 10967 Berlin Germany fon +49-(0)30 69 004-123 fax +49-(0)30 69 004-101 mail edin.dizdarevic () interActive-Systems de URL http://www.interActive-Systems.de/security ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- No output to ACID Jill Tovey (Apr 15)
- Re: No output to ACID Edin Dizdarevic (Apr 15)
- Re: No output to ACID Jill Tovey (Apr 15)
- Re: No output to ACID Edin Dizdarevic (Apr 15)
- Message not available
- Re: No output to ACID Edin Dizdarevic (Apr 15)
- Re: No output to ACID Jill Tovey (Apr 15)
- Re: No output to ACID Joerg Weber (Apr 15)
- Re: No output to ACID Edin Dizdarevic (Apr 15)
- Re: No output to ACID Jill Tovey (Apr 15)