Snort mailing list archives
Snort mysql with no ip interface
From: "snort" <snort () scottcarpenter net>
Date: Tue, 23 Dec 2003 13:13:10 -0500
I have Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) under windows with
acid. Everything is working fine on interface 10.0.0.1. Logging to the
db works fine, etc. I put in a second NIC and set it up under XP with no
IP address. Ethereal can sniff packets on the interface just fine. I
have snort configured for the second interface, but it cannot log to the
mysql database. I added an output plugin for file and was able to see
alerts from it. What am I doing wrong?
Cable modem-----------dumb hub---------linksys fw---------10.0.0.1
interface 1
|_______________________0.0.0.0
interface 2
Snort output:
D:\EagleX\snort\bin>D:\EagleX\Snort\bin\snort.exe -c
"D:\EagleX\Snort\etc\snort.conf" -l "D:\EagleX\Snort\logs" -i 2 -h 192.1
0/24 -X -z
Running in IDS mode
Log directory = D:\EagleX\Snort\logs
Initializing Network Interface
\Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}
--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface
\Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file D:\EagleX\Snort\etc\snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Stream4_reassemble config:
Server reassembly: ACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Ports: 21 23 25 53 80 110 111 143 513 1433
Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
http_decode arguments:
Unicode decoding
IIS alternate Unicode decoding
IIS double encoding vuln
Flip backslash to slash
Include additional whitespace separators
Ports to decode http on: 80 8877 8888
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Using LOCAL time
Conversation Config:
KeepStats: 0
Conv Count: 65535
Timeout : 60
Alert Odd?: 1
Allowed IP Protocols: All
database: compiled support for ( mysql odbc )
database: configured to use Mysql
database: host = localhost
database: port = 7788
database: database name = snort
database: user = snort
database: password is set
database: sensor name = inet
database: detail level = full
database: sensor id = 3
database: schema version = 106
database: using the "alert" facility
1581 Snort rules read...
1581 Option Chains linked into 197 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Rule application order: ->activation->dynamic->alert->pass->log
--== Initialization Complete ==--
-*> Snort! <*-
Version 2.0.1-ODBC-MySQL-WIN32 (Build 88)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
Current thread:
- Snort mysql with no ip interface snort (Dec 23)
- <Possible follow-ups>
- Snort mysql with no ip interface Scott Carpenter (Dec 30)
- Snor logging to mysql with no ip on monitored interface snort (Dec 31)