Snort mailing list archives
snort 1.7+mysql+acid == headaches. pass the aspirin? (long)
From: Jason Costomiris <jcostom () jasons org>
Date: Fri, 11 May 2001 09:24:52 -0400
Yesterday, I brought up a shiny new RH 7.1 box specifically for testing snort. It's got two NICs installed, eth0 sits on my private net, behind the firewall, eth1 is connected to the external network, is up, but has no IP configured on it - so-called stealth mode. The external net is @home's network in my home area. The whole deal looks like this: @home----cablemodem----hub-----.... Both my firewall and the eth1 i/f from the snort box are connected to that hub. Pretty normal configuration, based on my previous IDS experience, mostly deploying RealSecure. I started by building my own RPMs for libpcap-0.6.2, so I could dump the RH 0.4 version. Then I built snort from the RPM provided on snort.org, with a few subtle changes (--enable-smbalerts --with-mysql --with-openssl). Everything installed just swimmingly and SEEMS to be in working order. Seems indeed. I'm using the vision rules from whitehats, so this config is not exactly the "stock" configuration. However, I see no reason for it not to work: var INTERNAL 24.a.b.c/32 var EXTERNAL !$INTERNAL preprocessor defrag preprocessor http_decode: 80 preprocessor portscan: $INTERNAL 5 5 /var/log/snort/portscan.log preprocessor stream: timeout 23, ports 21 23 25 80 110 143, maxbytes 16384 output database: alert, mysql, dbname=snort host=localhost user=snort output log_tcpdump: log.tcpdump include /etc/snort/vision.rules Currently, my init scripts invoke snort as: /usr/sbin/snort -u snort -g snort -d -D -i eth1 -l /var/log/snort \ -c /etc/snort/vision.conf Having read elsewhere that -D supresses errors, I invoked it myself without the -D and get the following: --== Initializing Snort ==-- Initializing Network Interface eth1 WARNING: OpenPcap() device eth1 network lookup: eth1: no IPv4 address assigned Decoding Ethernet on interface eth1 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... database: compiled support for ( mysql postgresql ) database: configured to use mysql database: database name = snort database: host = localhost database: user = snort database: sensor name = <sensor-name-removed> database: sensor id = 1 database: using the "alert" facility 533 Snort rules read... 533 Option Chains linked into 199 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->log->pass --== Initialization Complete ==-- This seems to indicate that snort's cool with logging to the database. However, it never logs anything. I created the database using the create_mysql script that came as a part of snort-1.7.tar.gz, I also added the snortdb-extra stuff as well. Bottom line is that nothing gets logged to the database, nor do I get anything in the tcpdump logs either. On another note, I also installed ACID 0.9.6b8, which seemed to go in without any trouble, but also confirms no alerts are in the db. ACID is also complaining about snort signatures not being in the database: Database ERROR:Table 'snort.signature' doesn't exist Thoughts? -- Jason Costomiris <>< | Technologist, geek, human. jcostom {at} jasons {dot} org | http://www.jasons.org/ Quidquid latine dictum sit, altum viditur. My account, My opinions. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 1.7+mysql+acid == headaches. pass the aspirin? (long) Jason Costomiris (May 11)
- <Possible follow-ups>
- Re: snort 1.7+mysql+acid == headaches. pass the aspirin? (long) roman (May 11)