Snort mailing list archives
RE: TCP and ACID
From: "Kromodimedjo, John" <kromodimedjoj () unaids org>
Date: Wed, 31 Mar 2004 23:47:56 +0200
Hi thanks for your reply.
1) Is Snort really running?
Yes.
2) snort -v (You should see traffic)
Yes, I do - lots of traffic
3) Are you on a switch?
Nope.
4) snort <full run line> -T (This should give you some useful
information) Everything looks OK - See attached snortrun.txt
5) TCPDump the port to see if traffic is really getting there
Yes....all is fine
6) Check the logs for errors
No errors
7) is Snort creating the alert.ids in the log folder?
Yes is being created and has data. I have included my snort.conf file. Do you think the 2 lines below can be together because I got a MSSQL error too...duplicate primary key but if I take one of the line out it does not. output database: log, mssql, user=snort password=snort123 dbname=snort host=158.232.85.36 port=1433 sensor_name=GE-3E-06 output database: alert, mssql, user=snort password=snort123 dbname=snort host=158.232.85.36 port=1433 sensor_name=GE-3E-06 Million thanks for your help. John Kromodimedjo UNAIDS - Geneva ---------------------------------------------------- Kindest regards, The WINSNORT.com Management Team -- Pick up your FREE Windows or UNIX Snort installation guides mailto:support () winsnort com Website: http://www.winsnort.com Snort: Open Source Network IDS - http://www.snort.org
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of Kromodimedjo, John Sent: Wednesday, March 31, 2004 4:56 AM To: snort-users () lists sourceforge net Subject: [Snort-users] TCP and ACID Hi all, I have installed snort with ACID on MSSQL. So, far so good. I have
left
it running for one night and I know it captured TCP packets but
nothing
comes up in ACID. Do you know what I am doing wrong?? Here is part of my snort.conf. Thanks. John UNAIDS-Geneva ----------------------------------- var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH d:\snort\rules preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode preprocessor portscan:$HOME_NET 4 3 d:\snort\log\portscan.log output alert_fast:alert.ids output database: log, mssql, user=snort password=snort123 dbname=snort host=158.232.85.36 port=1433 sensor_name=GE-3E-06 output database: alert, mssql, user=snort password=snort123
dbname=snort
host=158.232.85.36 port=1433 sensor_name=GE-3E-06 include d:\snort\etc\classification.config include d:\snort\etc\reference.config ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
Attachment:
snortrun.txt
Description: snortrun.txt
Attachment:
snort.conf
Description: snort.conf
Current thread:
- TCP and ACID Kromodimedjo, John (Mar 31)
- RE: TCP and ACID Michael Steele (Mar 31)
- <Possible follow-ups>
- RE: TCP and ACID Shawn Kottke (Mar 31)
- RE: TCP and ACID Kromodimedjo, John (Mar 31)
- RE: TCP and ACID Kromodimedjo, John (Mar 31)