Snort mailing list archives
RE: Snort logging to mysql with no ip on monitored interface
From: "snort" <snort () scottcarpenter net>
Date: Wed, 31 Dec 2003 17:34:37 -0500
I tried that, but if you leave off the -l switch it complains.. D:\EagleX>D:\EagleX\Snort\bin\snort.exe -c "D:\EagleX\Snort\etc\snort.conf" -i 2 Running in IDS mode Log directory = log ERROR: [!] ERROR: Can not get write access to logging directory "log". (directory doesn't exist or permissions are set incorrectly or it is not a directory at all) Fatal Error, Quitting.. This is really strange. If I just change the interface alerts do not work with either file or db. I have a web page http://www.cheerleaders4free.com/ that will set off an alert. With ethereal, I can capture the packets just fine on interface 2: 01f0 65 72 73 2e 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 ers.">..<meta na 0200 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f me="keywords" co 0210 6e 74 65 6e 74 3d 22 63 68 65 65 72 6c 65 61 64 ntent="cheerlead 0220 65 72 20 73 65 78 2c 20 6e 75 64 65 20 63 68 65 er sex, nude che 0230 65 72 6c 65 61 64 65 72 73 2c 20 63 68 65 65 72 erleaders, cheer 0240 6c 65 61 64 65 72 20 66 75 63 6b 69 6e 67 2c 20 leader fucking, 0250 63 68 65 65 72 67 69 72 6c 2c 20 4c 69 67 68 74 cheergirl, Light If I change to i-1, I get the alert and the log just fine D:\EagleX\snort>D:\EagleX\Snort\bin\snort.exe -c "D:\EagleX\Snort\etc\snort.conf" -i 2 Running in IDS mode Log directory = log Initializing Network Interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36} --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36} Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file D:\EagleX\Snort\etc\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... database: compiled support for ( mysql odbc ) database: configured to use Mysql database: host = localhost database: port = 7788 database: database name = snort database: user = snort database: password is set database: sensor name = inet database: detail level = full database: sensor id = 3 database: schema version = 106 database: using the "alert" facility 1581 Snort rules read... 1581 Option Chains linked into 197 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of CMartin () infosol com Sent: Wednesday, December 31, 2003 1:57 PM To: michaels () winsnort com Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored interface Howdy, I think I found your problem. I'm running snort on linux, but I think the command line is the same. There are times when I would like to log to a directory and not log to a database. I still make a reference to the conf file that has all my database login information but then in the command line I specify it to log to a directory using the -l (log) switch, as you do in your command line. In my experience when you use the -l switch in the command line, it overwrites all logging options specified in your conf file. So try removing the -l switch and see if that helps. If you want to log to both the directory and the database, specify that in the conf file. Chris -----Original Message----- From: Michael Steele [mailto:michaels () winsnort com] Sent: Wednesday, December 31, 2003 10:38 AM To: 'Snort Users List' Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored interface You can do a tcpdump on the database port and see any alerts that are being passed to it, while running a scan of the system using some vulnerability scanner. Kindest regards, The WINSNORT.com Management Team -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Shaffer, Paul D Sent: Wednesday, December 31, 2003 8:07 AM To: snort () scottcarpenter net; snort-users () lists sourceforge net Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored interface Uh, I think maybe you're heading the wrong way here. The lack of an IP address on your sensor interface has absolutely nothing to do with database output. I have an almost identical setup running (2.1, though), no probs. Maybe an obvious question, but how do you know_for_sure Snort is not outputting to the database? Have you tested it by invoking some known alerts from an external source? Sorry, had to ask... Paul -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of snort Sent: Wednesday, December 31, 2003 8:51 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snor logging to mysql with no ip on monitored interface 1) I am making the assumption that logging to MySQL is not possible if the interface I am monitoring does not have an IP. Can someone confirm that? 2) Since I am able to log to a flat file, and I would like to use ACID, can someone point me to a flat file to MySQL script that I can use to populate MySQL with a cron job? I have Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) under windows with acid. Everything is working fine on interface 10.0.0.1. Logging to the db works fine, etc. I put in a second NIC and set it up under XP with no IP address. Ethereal can sniff packets on the interface just fine. I have snort configured for the second interface, but it cannot log to the mysql database. I added an output plugin for file and was able to see alerts from it. What am I doing wrong? Cable modem-----------dumb hub---------linksys fw---------10.0.0.1 interface 1 |_______________________0.0.0.0 interface 2 Snort output: D:\EagleX\snort\bin>D:\EagleX\Snort\bin\snort.exe -c "D:\EagleX\Snort\etc\snort.conf" -l "D:\EagleX\Snort\logs" -i 2 -h 192.1 0/24 -X -z Running in IDS mode Log directory = D:\EagleX\Snort\logs Initializing Network Interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36} --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36} Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file D:\EagleX\Snort\etc\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 8877 8888 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Using LOCAL time Conversation Config: KeepStats: 0 Conv Count: 65535 Timeout : 60 Alert Odd?: 1 Allowed IP Protocols: All database: compiled support for ( mysql odbc ) database: configured to use Mysql database: host = localhost database: port = 7788 database: database name = snort database: user = snort database: password is set database: sensor name = inet database: detail level = full database: sensor id = 3 database: schema version = 106 database: using the "alert" facility 1581 Snort rules read... 1581 Option Chains linked into 197 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
Current thread:
- RE: Snor logging to mysql with no ip on monitored i nterface CMartin (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)