Snort mailing list archives
RE: Snor logging to mysql with no ip on monitored i nterface
From: CMartin () infosol com
Date: Wed, 31 Dec 2003 11:56:57 -0700
Howdy, I think I found your problem. I'm running snort on linux, but I think the command line is the same. There are times when I would like to log to a directory and not log to a database. I still make a reference to the conf file that has all my database login information but then in the command line I specify it to log to a directory using the -l (log) switch, as you do in your command line. In my experience when you use the -l switch in the command line, it overwrites all logging options specified in your conf file. So try removing the -l switch and see if that helps. If you want to log to both the directory and the database, specify that in the conf file. Chris -----Original Message----- From: Michael Steele [mailto:michaels () winsnort com] Sent: Wednesday, December 31, 2003 10:38 AM To: 'Snort Users List' Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored interface You can do a tcpdump on the database port and see any alerts that are being passed to it, while running a scan of the system using some vulnerability scanner. Kindest regards, The WINSNORT.com Management Team -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com <mailto:support () winsnort com> Website: http://www.winsnort.com <http://www.winsnort.com> Snort: Open Source Network IDS - http://www.snort.org <http://www.snort.org> _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Shaffer, Paul D Sent: Wednesday, December 31, 2003 8:07 AM To: snort () scottcarpenter net; snort-users () lists sourceforge net Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored interface Uh, I think maybe you're heading the wrong way here. The lack of an IP address on your sensor interface has absolutely nothing to do with database output. I have an almost identical setup running (2.1, though), no probs. Maybe an obvious question, but how do you know_for_sure Snort is not outputting to the database? Have you tested it by invoking some known alerts from an external source? Sorry, had to ask... Paul -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of snort Sent: Wednesday, December 31, 2003 8:51 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snor logging to mysql with no ip on monitored interface 1) I am making the assumption that logging to MySQL is not possible if the interface I am monitoring does not have an IP. Can someone confirm that? 2) Since I am able to log to a flat file, and I would like to use ACID, can someone point me to a flat file to MySQL script that I can use to populate MySQL with a cron job? I have Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) under windows with acid. Everything is working fine on interface 10.0.0.1. Logging to the db works fine, etc. I put in a second NIC and set it up under XP with no IP address. Ethereal can sniff packets on the interface just fine. I have snort configured for the second interface, but it cannot log to the mysql database. I added an output plugin for file and was able to see alerts from it. What am I doing wrong? Cable modem-----------dumb hub---------linksys fw---------10.0.0.1 interface 1 |_______________________0.0.0.0 interface 2 Snort output: D:\EagleX\snort\bin>D:\EagleX\Snort\bin\snort.exe -c "D:\EagleX\Snort\etc\snort.conf" -l "D:\EagleX\Snort\logs" -i 2 -h 192.1 0/24 -X -z Running in IDS mode Log directory = D:\EagleX\Snort\logs Initializing Network Interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36} --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36} Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file D:\EagleX\Snort\etc\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 8877 8888 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Using LOCAL time Conversation Config: KeepStats: 0 Conv Count: 65535 Timeout : 60 Alert Odd?: 1 Allowed IP Protocols: All database: compiled support for ( mysql odbc ) database: configured to use Mysql database: host = localhost database: port = 7788 database: database name = snort database: user = snort database: password is set database: sensor name = inet database: detail level = full database: sensor id = 3 database: schema version = 106 database: using the "alert" facility 1581 Snort rules read... 1581 Option Chains linked into 197 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
Current thread:
- RE: Snor logging to mysql with no ip on monitored i nterface CMartin (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)