Snort mailing list archives
Snort mysql with no ip interface
From: "snort" <snort () scottcarpenter net>
Date: Tue, 23 Dec 2003 13:13:10 -0500
I have Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) under windows with acid. Everything is working fine on interface 10.0.0.1. Logging to the db works fine, etc. I put in a second NIC and set it up under XP with no IP address. Ethereal can sniff packets on the interface just fine. I have snort configured for the second interface, but it cannot log to the mysql database. I added an output plugin for file and was able to see alerts from it. What am I doing wrong? Cable modem-----------dumb hub---------linksys fw---------10.0.0.1 interface 1 |_______________________0.0.0.0 interface 2 Snort output: D:\EagleX\snort\bin>D:\EagleX\Snort\bin\snort.exe -c "D:\EagleX\Snort\etc\snort.conf" -l "D:\EagleX\Snort\logs" -i 2 -h 192.1 0/24 -X -z Running in IDS mode Log directory = D:\EagleX\Snort\logs Initializing Network Interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36} --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36} Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file D:\EagleX\Snort\etc\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 8877 8888 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Using LOCAL time Conversation Config: KeepStats: 0 Conv Count: 65535 Timeout : 60 Alert Odd?: 1 Allowed IP Protocols: All database: compiled support for ( mysql odbc ) database: configured to use Mysql database: host = localhost database: port = 7788 database: database name = snort database: user = snort database: password is set database: sensor name = inet database: detail level = full database: sensor id = 3 database: schema version = 106 database: using the "alert" facility 1581 Snort rules read... 1581 Option Chains linked into 197 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
Current thread:
- Snort mysql with no ip interface snort (Dec 23)
- <Possible follow-ups>
- Snort mysql with no ip interface Scott Carpenter (Dec 30)
- Snor logging to mysql with no ip on monitored interface snort (Dec 31)