Snort mailing list archives
Re: MySQL support for Snort 2.9.4
From: Kaya Saman <kayasaman () gmail com>
Date: Tue, 11 Dec 2012 19:06:04 +0000
On 12/11/2012 02:45 PM, JJC wrote:
damn, Joel beat me to it again.. when you traverse between versions it's always best to make deinstall, or manually rm the old files or you may get errors like this
Thanks guys! Sorry I've just started with Snort and have only been using it the last few weeks and mostly from the OpenBSD Port of 2.8.6 which is why my understanding and knowledge of what's going on is highly limited..... A strange thing though, Snort is stable and listening on the interface and able to collect information. For some reason however, it doesn't seem to either: be processing the information; or logging the information?? With startup option set to: /usr/local/bin/snort -i trunk0 -c /etc/snort/snort.conf --daq-dir=/usr/local/lib/daq -u _snort -g _snort --daq=pcap I get this: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log Verifying Preprocessor Configurations! ICMP tracking disabled, no ICMP sessions allocated IP tracking disabled, no IP sessions allocated WARNING: flowbits key 'file.mime' is set but not ever checked. WARNING: flowbits key 'file.mppl' is set but not ever checked. WARNING: flowbits key 'file.vwr' is set but not ever checked. WARNING: flowbits key 'asteriskmi' is set but not ever checked. WARNING: flowbits key 'file.jp2' is set but not ever checked. WARNING: flowbits key 'file.wrf' is set but not ever checked. WARNING: flowbits key 'file.crx' is set but not ever checked. WARNING: flowbits key 'file.eml' is set but not ever checked. WARNING: flowbits key 'backdoor.y3krat_15.client.response' is checked but not ever set. WARNING: flowbits key 'file.ram' is set but not ever checked. WARNING: flowbits key 'file.plf' is set but not ever checked. WARNING: flowbits key 'file.hta' is set but not ever checked. WARNING: flowbits key 'file.mid' is set but not ever checked. WARNING: flowbits key 'file.amf' is set but not ever checked. WARNING: flowbits key 'file.rdp' is set but not ever checked. WARNING: flowbits key 'file.aom' is set but not ever checked. WARNING: flowbits key 'file.rpt' is set but not ever checked. WARNING: flowbits key 'file.m4r' is set but not ever checked. WARNING: flowbits key 'file.nab' is set but not ever checked. WARNING: flowbits key 'file.xm' is set but not ever checked. WARNING: flowbits key 'file.bmp' is set but not ever checked. WARNING: flowbits key 'file.bat' is set but not ever checked. WARNING: flowbits key 'file.rtx' is set but not ever checked. WARNING: flowbits key 'file.winampskin' is set but not ever checked. WARNING: flowbits key 'file.3g2' is set but not ever checked. WARNING: flowbits key 'file.skm' is set but not ever checked. WARNING: flowbits key 'file.ht3' is set but not ever checked. WARNING: flowbits key 'file.pptx' is set but not ever checked. WARNING: flowbits key 'file.dbp' is set but not ever checked. WARNING: flowbits key 'file.mkv' is set but not ever checked. WARNING: flowbits key 'file.rmp' is set but not ever checked. WARNING: flowbits key 'file.file.tar' is set but not ever checked. WARNING: flowbits key 'mscomctl' is set but not ever checked. WARNING: flowbits key 'file.dvr-ms' is set but not ever checked. WARNING: flowbits key 'file.m4p' is set but not ever checked. WARNING: flowbits key 'file.caff' is set but not ever checked. WARNING: flowbits key 'file.rp' is set but not ever checked. WARNING: flowbits key 'file.plp' is set but not ever checked. WARNING: flowbits key 'file.aiff' is set but not ever checked. WARNING: flowbits key 'file.daz_ds' is set but not ever checked. WARNING: flowbits key 'file.wma' is set but not ever checked. WARNING: flowbits key 'file.application' is set but not ever checked. WARNING: flowbits key 'file.3gp' is set but not ever checked. WARNING: flowbits key 'ABSystemSpy_Inforetrieve1' is set but not ever checked. WARNING: flowbits key 'file.webm' is set but not ever checked. WARNING: flowbits key 'file.jar.agent_helper' is set but not ever checked. WARNING: flowbits key 'netsenum' is set but not ever checked. WARNING: flowbits key 'file.arj' is set but not ever checked. WARNING: flowbits key 'file.ogg' is set but not ever checked. WARNING: flowbits key 'file.oless.v3' is set but not ever checked. WARNING: flowbits key 'file.mov' is set but not ever checked. WARNING: flowbits key 'ipp.application' is checked but not ever set. WARNING: flowbits key 'file.pictmov' is set but not ever checked. WARNING: flowbits key 'file.lzh' is set but not ever checked. WARNING: flowbits key 'file.collada' is set but not ever checked. WARNING: flowbits key 'file.s3m' is set but not ever checked. WARNING: flowbits key 'file.tiff.big' is set but not ever checked. WARNING: flowbits key 'file.k3g' is set but not ever checked. WARNING: flowbits key 'file.wmp_playlist' is set but not ever checked. WARNING: flowbits key 'file.cov' is set but not ever checked. WARNING: flowbits key 'soliddb' is set but not ever checked. WARNING: flowbits key 'file.rt' is set but not ever checked. WARNING: flowbits key 'waprox.init' is set but not ever checked. WARNING: flowbits key 'file.emf' is set but not ever checked. WARNING: flowbits key 'file.cws' is set but not ever checked. WARNING: flowbits key 'file.dat' is set but not ever checked. WARNING: flowbits key 'AOLAdmin1.1.connection' is checked but not ever set. WARNING: flowbits key 'file.ttf' is set but not ever checked. WARNING: flowbits key 'file.cy3' is set but not ever checked. WARNING: flowbits key 'file.wk4' is set but not ever checked. WARNING: flowbits key 'file.rat' is set but not ever checked. WARNING: flowbits key 'vnc.auth' is checked but not ever set. WARNING: flowbits key 'file.docx' is set but not ever checked. WARNING: flowbits key 'file.maki' is set but not ever checked. WARNING: flowbits key 'file.qt' is set but not ever checked. WARNING: flowbits key 'AM_Remote_Client' is set but not ever checked. WARNING: flowbits key 'file.pkp' is set but not ever checked. WARNING: flowbits key 'file.wps' is set but not ever checked. WARNING: flowbits key 'file.pecompact' is set but not ever checked. WARNING: flowbits key 'recordtype' is set but not ever checked. WARNING: flowbits key 'smb.neoteris' is checked but not ever set. WARNING: flowbits key 'file.rss' is set but not ever checked. WARNING: flowbits key 'file.drm.f4v' is set but not ever checked. WARNING: flowbits key 'backdoor.fearless.runtime' is checked but not ever set. WARNING: flowbits key 'file.addin' is set but not ever checked. WARNING: flowbits key 'file.cue' is set but not ever checked. WARNING: flowbits key 'file.msproducer' is set but not ever checked. WARNING: flowbits key 'file.job' is set but not ever checked. WARNING: flowbits key 'file.cur' is set but not ever checked. WARNING: flowbits key 'file.fli' is set but not ever checked. WARNING: flowbits key 'file.mht' is set but not ever checked. WARNING: flowbits key 'file.bak' is set but not ever checked. WARNING: flowbits key 'file.m4v' is set but not ever checked. WARNING: flowbits key 'oracle.connect' is checked but not ever set. WARNING: flowbits key 'file.hlp' is set but not ever checked. WARNING: flowbits key 'file.autodesk_ma' is set but not ever checked. WARNING: flowbits key 'file.vqf' is set but not ever checked. WARNING: flowbits key 'file.autodesk_max' is set but not ever checked. WARNING: flowbits key 'file.sln' is set but not ever checked. WARNING: flowbits key 'file.cyb' is set but not ever checked. WARNING: flowbits key 'file.search-ms' is set but not ever checked. WARNING: flowbits key 'file.m4b' is set but not ever checked. WARNING: flowbits key 'file.flac' is set but not ever checked. WARNING: flowbits key 'file.oless.v4' is set but not ever checked. WARNING: flowbits key 'file.m4a' is set but not ever checked. WARNING: flowbits key 'file.cnt' is set but not ever checked. WARNING: flowbits key 'file.mpeg' is set but not ever checked. WARNING: flowbits key 'ms.webdav.propfind' is set but not ever checked. WARNING: flowbits key 'file.svg' is set but not ever checked. WARNING: flowbits key 'file.esignal' is set but not ever checked. WARNING: flowbits key 'smtp.contenttype.attachment' is checked but not ever set. WARNING: flowbits key 'file.fon' is set but not ever checked. WARNING: flowbits key 'backdoor.donalddick.1.5.b.3.conn' is checked but not ever set. WARNING: flowbits key 'file.csv' is set but not ever checked. 200 out of 1024 flowbits in use. Ok these are just warnings and Snort does start and work, also shows data with the: --pcap-show option. The config file is the same as posted yesterday so no change there, also stats seem fine: =============================================================================== Run time for packet processing was 38167.377763 seconds Snort processed 18726026 packets. Snort ran for 0 days 10 hours 36 minutes 7 seconds Pkts/hr: 1872602 Pkts/min: 29443 Pkts/sec: 490 =============================================================================== Packet I/O Totals: Received: 18727490 Analyzed: 18726026 ( 99.992%) Dropped: 1124 ( 0.006%) Filtered: 0 ( 0.000%) Outstanding: 1464 ( 0.008%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 18726026 (100.000%) VLAN: 9542633 ( 50.959%) IP4: 18469222 ( 98.629%) Frag: 96 ( 0.001%) ICMP: 19686 ( 0.105%) UDP: 209555 ( 1.119%) TCP: 18094459 ( 96.627%) IP6: 49 ( 0.000%) IP6 Ext: 56 ( 0.000%) IP6 Opts: 7 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 16 ( 0.000%) UDP6: 33 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) EAPOL: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 7757 ( 0.041%) IPX: 0 ( 0.000%) Eth Loop: 7626 ( 0.041%) Eth Disc: 0 ( 0.000%) IP4 Disc: 115831 ( 0.619%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 115831 ( 0.619%) Other: 270967 ( 1.447%) Bad Chk Sum: 9421212 ( 50.311%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 18726026 =============================================================================== Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 18715211 ( 99.934%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 10815 ( 0.058%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) =============================================================================== Frag3 statistics: Total Fragments: 0 Frags Reassembled: 0 Discards: 0 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 Drops: 0 FragTrackers Added: 0 FragTrackers Dumped: 0 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 0 Frag Nodes Deleted: 0 =============================================================================== Stream5 statistics: Total sessions: 79147 TCP sessions: 20411 UDP sessions: 58736 ICMP sessions: 0 IP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 IP Prunes: 0 TCP StreamTrackers Created: 20434 TCP StreamTrackers Deleted: 20434 TCP Timeouts: 155 TCP Overlaps: 0 TCP Segments Queued: 3 TCP Segments Released: 3 TCP Rebuilt Packets: 0 TCP Segments Used: 0 TCP Discards: 5828513 TCP Gaps: 0 UDP Sessions Created: 58736 UDP Sessions Deleted: 58736 UDP Timeouts: 0 UDP Discards: 0 Events: 101793 Internal Events: 0 TCP Port Filter Dropped: 0 Inspected: 0 Tracked: 8813272 UDP Port Filter Dropped: 0 Inspected: 0 Tracked: 58736 =============================================================================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 0 GET methods: 0 HTTP Request Headers extracted: 0 HTTP Request Cookies extracted: 0 Post parameters extracted: 0 HTTP response Headers extracted: 22783 HTTP Response Cookies extracted: 0 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Directory traversals: 0 Extra slashes ("//"): 0 Self-referencing paths ("./"): 0 HTTP Response Gzip packets extracted: 0 Gzip Compressed Data Processed: n/a Gzip Decompressed Data Processed: n/a Total packets processed: 4714892 =============================================================================== SMTP Preprocessor Statistics Total sessions : 0 Max concurrent sessions : 0 =============================================================================== dcerpc2 Preprocessor Statistics Total sessions: 0 =============================================================================== SSL Preprocessor: SSL packets decoded: 14797 Client Hello: 921 Server Hello: 181 Certificate: 178 Server Done: 988 Client Key Exchange: 734 Server Key Exchange: 135 Change Cipher: 1056 Finished: 0 Client Application: 11296 Server Application: 196 Alert: 384 Unrecognized records: 1069 Completed handshakes: 0 Bad handshakes: 0 Sessions ignored: 196 Detection disabled: 357 =============================================================================== SIP Preprocessor Statistics Total sessions: 28 SIP anomalies : 5378 Total dialogs: 5415 Requests: 10885 invite: 0 cancel: 0 ack: 0 bye: 0 register: 6415 options: 4470 refer: 0 subscribe: 0 update: 0 join: 0 info: 0 message: 0 notify: 0 prack: 0 Responses: 8329 1xx: 0 2xx: 5761 3xx: 0 4xx: 2568 5xx: 0 6xx: 0 7xx: 0 8xx: 0 9xx: 0 Ignore sessions: 0 Ignore channels: 0 =============================================================================== Reputation Preprocessor Statistics Total Memory Allocated: 0 =============================================================================== When I check the log however it is zero? # ls -lh /var/log/snort | grep u2 -rw------- 1 root _snort 0B Dec 11 04:22 snort.u2.1355199721 -rw------- 1 root _snort 0B Dec 11 04:40 snort.u2.1355200803 -rw------- 1 root _snort 0B Dec 11 04:45 snort.u2.1355201144 -rw------- 1 root _snort 0B Dec 11 04:57 snort.u2.1355201878 -rw------- 1 root _snort 0B Dec 11 05:00 snort.u2.1355202000 -rw------- 1 _snort _snort 0B Dec 11 05:10 snort.u2.1355202643 -rw------- 1 _snort _snort 0B Dec 11 05:46 snort.u2.1355204787 -rw------- 1 _snort _snort 0B Dec 11 05:49 snort.u2.1355204999 -rw------- 1 _snort _snort 0B Dec 11 06:42 snort.u2.1355208140 -rw------- 1 _snort _snort 0B Dec 11 06:48 snort.u2.1355208486 -rw------- 1 _snort _snort 0B Dec 11 06:51 snort.u2.1355208715 -rw------- 1 _snort _snort 0B Dec 11 07:06 snort.u2.1355209617 -rw------- 1 _snort _snort 0B Dec 11 07:23 snort.u2.1355210584 -rw------- 1 _snort _snort 0B Dec 11 07:26 snort.u2.1355210817 -rw------- 1 _snort _snort 0B Dec 11 07:39 snort.u2.1355211572 -rw------- 1 _snort _snort 0B Dec 11 07:41 snort.u2.1355211712 -rw------- 1 _snort _snort 0B Dec 11 07:44 snort.u2.1355211850 -rw------- 1 _snort _snort 0B Dec 11 07:54 snort.u2.1355212478 -rw------- 1 _snort _snort 0B Dec 11 07:57 snort.u2.1355212654 -rw------- 1 _snort _snort 0B Dec 11 08:01 snort.u2.1355212873 -rw------- 1 _snort _snort 0B Dec 11 08:02 snort.u2.1355212968 -rw------- 1 _snort _snort 0B Dec 11 08:08 snort.u2.1355213280 Of course this means that Barnyard2 won't be able to collect any information to pass through to MySQL for Base to communicate to me. I have also tried with the -v verbose flag on startup but didn't see much of a different output.... Why are my logs coming up as zero? Regards, Kaya ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: MySQL support for Snort 2.9.4, (continued)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 JJC (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Russ Combs (Dec 12)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 12)