Snort mailing list archives
RE: Snort logging to mysql with no ip on monitored interface
From: "snort" <snort () scottcarpenter net>
Date: Wed, 31 Dec 2003 17:53:36 -0500
I am now getting db alerts, but only port scans from my cable modem ip interface. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort Sent: Wednesday, December 31, 2003 5:41 PM To: snort () scottcarpenter net; CMartin () infosol com; michaels () winsnort com Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort logging to mysql with no ip on monitored interface It may be that the interface is overloaded> I used the -v switch and get: D:\EagleX\snort>D:\EagleX\Snort\bin\snort.exe -c "D:\EagleX\Snort\etc\snort.conf" -l "D:\EagleX\Snort\logs" -i 2 -h 192.168.0.100/2 -v Running in IDS mode Log directory = D:\EagleX\Snort\logs Initializing Network Interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36} --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36} Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file D:\EagleX\Snort\etc\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... database: compiled support for ( mysql odbc ) database: configured to use Mysql database: host = localhost database: port = 7788 database: database name = snort database: user = snort database: password is set database: sensor name = inet database: detail level = full database: sensor id = 3 database: schema version = 106 database: using the "alert" facility 1581 Snort rules read... 1581 Option Chains linked into 197 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) 12/31-17:37:46.404823 ARP who-has 68.100.137.3 tell 68.100.136.1 12/31-17:37:46.853076 ARP who-has 10.5.201.19 tell 10.5.192.1 12/31-17:37:46.853263 ARP who-has 68.100.141.190 tell 68.100.136.1 12/31-17:37:46.922747 ARP who-has 68.100.143.151 tell 68.100.136.1 12/31-17:37:47.441033 ARP who-has 68.100.145.0 tell 68.100.144.1 12/31-17:37:47.852663 ARP who-has 68.100.148.110 tell 68.100.144.1 12/31-17:37:47.852811 ARP who-has 68.100.139.37 tell 68.100.136.1 12/31-17:37:47.857267 ARP who-has 68.100.146.56 tell 68.100.144.1 12/31-17:37:48.521345 ARP who-has 68.100.136.12 tell 68.100.136.1 12/31-17:37:48.661274 ARP who-has 68.100.141.218 tell 68.100.136.1 12/31-17:37:48.739527 ARP who-has 68.105.187.184 tell 68.105.187.1 12/31-17:37:48.852797 ARP who-has 10.5.204.52 tell 10.5.192.1 12/31-17:37:49.853183 ARP who-has 10.5.200.192 tell 10.5.192.1 12/31-17:37:49.962343 ARP who-has 68.100.138.179 tell 68.100.136.1 12/31-17:37:49.987511 10.5.192.1:67 -> 255.255.255.255:68 UDP TTL:16 TOS:0x7 ID:0 IpLen:20 DgmLen:328 Len: 300 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 12/31-17:37:50.010668 10.5.192.1:67 -> 255.255.255.255:68 UDP TTL:16 TOS:0x7 ID:0 IpLen:20 DgmLen:328 Len: 300 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 12/31-17:37:50.652817 ARP who-has 68.100.150.223 tell 68.100.144.1 12/31-17:37:50.691730 ARP who-has 68.105.187.197 tell 68.105.187.1 12/31-17:37:50.852925 ARP who-has 10.5.190.106 tell 10.5.184.1 12/31-17:37:50.991994 ARP who-has 68.105.187.199 tell 68.105.187.1 12/31-17:37:50.998991 ARP who-has 10.5.207.29 tell 10.5.192.1 12/31-17:37:51.183033 ARP who-has 68.100.27.17 tell 68.100.26.1 12/31-17:37:51.258331 ARP who-has 68.100.150.89 tell 68.100.144.1 12/31-17:37:51.398474 216.55.16.67:3474 -> 68.100.137.18:25 TCP TTL:109 TOS:0x0 ID:54619 IpLen:20 DgmLen:48 DF ******S* Seq: 0x790B674A Ack: 0x0 Win: 0xFAF0 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 12/31-17:37:51.399618 ARP who-has 68.100.136.1 tell 68.100.137.18 12/31-17:37:51.411000 ARP reply 68.100.136.1 is-at 0:50:57:0:87:6A 12/31-17:37:51.411521 68.100.137.18:25 -> 216.55.16.67:3474 TCP TTL:128 TOS:0x0 ID:39884 IpLen:20 DgmLen:48 DF ***A**S* Seq: 0x8F6C66F0 Ack: 0x790B674B Win: 0xFFF0 TcpLen: 28 TCP Options (4) => MSS: 1260 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 12/31-17:37:51.442306 ARP who-has 68.105.187.202 tell 68.105.187.1 12/31-17:37:51.463001 216.55.16.67:3474 -> 68.100.137.18:25 TCP TTL:109 TOS:0x0 ID:54631 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x790B674B Ack: 0x8F6C66F1 Win: 0xFB04 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 12/31-17:37:51.474576 68.100.137.18:25 -> 216.55.16.67:3474 TCP TTL:128 TOS:0x0 ID:39885 IpLen:20 DgmLen:88 DF ***AP*** Seq: 0x8F6C66F1 Ack: 0x790B674B Win: 0xFFF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 12/31-17:37:51.477225 68.100.137.18:25 -> 216.55.16.67:3474 TCP TTL:128 TOS:0x0 ID:39886 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x8F6C6721 Ack: 0x790B674B Win: 0xFFF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 12/31-17:37:51.532155 216.55.16.67:3474 -> 68.100.137.18:25 TCP TTL:109 TOS:0x0 ID:54638 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x790B674B Ack: 0x8F6C6722 Win: 0xFAD4 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 12/31-17:37:51.569131 216.55.16.67:3474 -> 68.100.137.18:25 TCP TTL:109 TOS:0x0 ID:54644 IpLen:20 DgmLen:46 DF ***AP*** Seq: 0x790B674B Ack: 0x8F6C6722 Win: 0xFAD4 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 12/31-17:37:51.569199 216.55.16.67:3474 -> 68.100.137.18:25 TCP TTL:109 TOS:0x0 ID:54645 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x790B6751 Ack: 0x8F6C6722 Win: 0xFAD4 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 12/31-17:37:51.570428 68.100.137.18:25 -> 216.55.16.67:3474 TCP TTL:128 TOS:0x0 ID:39887 IpLen:20 DgmLen:40 DF *****R** Seq: 0x8F6C6722 Ack: 0x790B674B Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 12/31-17:37:51.570752 68.100.137.18:25 -> 216.55.16.67:3474 TCP TTL:128 TOS:0x0 ID:39888 IpLen:20 DgmLen:40 *****R** Seq: 0x8F6C6722 Ack: 0x8F6C6722 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort Sent: Wednesday, December 31, 2003 5:35 PM To: CMartin () infosol com; michaels () winsnort com Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort logging to mysql with no ip on monitored interface I tried that, but if you leave off the -l switch it complains.. D:\EagleX>D:\EagleX\Snort\bin\snort.exe -c "D:\EagleX\Snort\etc\snort.conf" -i 2 Running in IDS mode Log directory = log ERROR: [!] ERROR: Can not get write access to logging directory "log". (directory doesn't exist or permissions are set incorrectly or it is not a directory at all) Fatal Error, Quitting.. This is really strange. If I just change the interface alerts do not work with either file or db. I have a web page http://www.cheerleaders4free.com/ that will set off an alert. With ethereal, I can capture the packets just fine on interface 2: 01f0 65 72 73 2e 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 ers.">..<meta na 0200 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f me="keywords" co 0210 6e 74 65 6e 74 3d 22 63 68 65 65 72 6c 65 61 64 ntent="cheerlead 0220 65 72 20 73 65 78 2c 20 6e 75 64 65 20 63 68 65 er sex, nude che 0230 65 72 6c 65 61 64 65 72 73 2c 20 63 68 65 65 72 erleaders, cheer 0240 6c 65 61 64 65 72 20 66 75 63 6b 69 6e 67 2c 20 leader fucking, 0250 63 68 65 65 72 67 69 72 6c 2c 20 4c 69 67 68 74 cheergirl, Light If I change to i-1, I get the alert and the log just fine D:\EagleX\snort>D:\EagleX\Snort\bin\snort.exe -c "D:\EagleX\Snort\etc\snort.conf" -i 2 Running in IDS mode Log directory = log Initializing Network Interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36} --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36} Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file D:\EagleX\Snort\etc\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... database: compiled support for ( mysql odbc ) database: configured to use Mysql database: host = localhost database: port = 7788 database: database name = snort database: user = snort database: password is set database: sensor name = inet database: detail level = full database: sensor id = 3 database: schema version = 106 database: using the "alert" facility 1581 Snort rules read... 1581 Option Chains linked into 197 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of CMartin () infosol com Sent: Wednesday, December 31, 2003 1:57 PM To: michaels () winsnort com Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored interface Howdy, I think I found your problem. I'm running snort on linux, but I think the command line is the same. There are times when I would like to log to a directory and not log to a database. I still make a reference to the conf file that has all my database login information but then in the command line I specify it to log to a directory using the -l (log) switch, as you do in your command line. In my experience when you use the -l switch in the command line, it overwrites all logging options specified in your conf file. So try removing the -l switch and see if that helps. If you want to log to both the directory and the database, specify that in the conf file. Chris -----Original Message----- From: Michael Steele [mailto:michaels () winsnort com] Sent: Wednesday, December 31, 2003 10:38 AM To: 'Snort Users List' Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored interface You can do a tcpdump on the database port and see any alerts that are being passed to it, while running a scan of the system using some vulnerability scanner. Kindest regards, The WINSNORT.com Management Team -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org _____ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Shaffer, Paul D Sent: Wednesday, December 31, 2003 8:07 AM To: snort () scottcarpenter net; snort-users () lists sourceforge net Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored interface Uh, I think maybe you're heading the wrong way here. The lack of an IP address on your sensor interface has absolutely nothing to do with database output. I have an almost identical setup running (2.1, though), no probs. Maybe an obvious question, but how do you know_for_sure Snort is not outputting to the database? Have you tested it by invoking some known alerts from an external source? Sorry, had to ask... Paul -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of snort Sent: Wednesday, December 31, 2003 8:51 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snor logging to mysql with no ip on monitored interface 1) I am making the assumption that logging to MySQL is not possible if the interface I am monitoring does not have an IP. Can someone confirm that? 2) Since I am able to log to a flat file, and I would like to use ACID, can someone point me to a flat file to MySQL script that I can use to populate MySQL with a cron job? I have Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) under windows with acid. Everything is working fine on interface 10.0.0.1. Logging to the db works fine, etc. I put in a second NIC and set it up under XP with no IP address. Ethereal can sniff packets on the interface just fine. I have snort configured for the second interface, but it cannot log to the mysql database. I added an output plugin for file and was able to see alerts from it. What am I doing wrong? Cable modem-----------dumb hub---------linksys fw---------10.0.0.1 interface 1 |_______________________0.0.0.0 interface 2 Snort output: D:\EagleX\snort\bin>D:\EagleX\Snort\bin\snort.exe -c "D:\EagleX\Snort\etc\snort.conf" -l "D:\EagleX\Snort\logs" -i 2 -h 192.1 0/24 -X -z Running in IDS mode Log directory = D:\EagleX\Snort\logs Initializing Network Interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36} --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36} Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file D:\EagleX\Snort\etc\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 http_decode arguments: Unicode decoding IIS alternate Unicode decoding IIS double encoding vuln Flip backslash to slash Include additional whitespace separators Ports to decode http on: 80 8877 8888 rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Using LOCAL time Conversation Config: KeepStats: 0 Conv Count: 65535 Timeout : 60 Alert Odd?: 1 Allowed IP Protocols: All database: compiled support for ( mysql odbc ) database: configured to use Mysql database: host = localhost database: port = 7788 database: database name = snort database: user = snort database: password is set database: sensor name = inet database: detail level = full database: sensor id = 3 database: schema version = 106 database: using the "alert" facility 1581 Snort rules read... 1581 Option Chains linked into 197 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
Current thread:
- RE: Snor logging to mysql with no ip on monitored i nterface CMartin (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)