snort 1.7+mysql+acid == headaches. pass the aspirin? (long)

[Jason Costomiris <jcostom () jasons org>]

Yesterday, I brought up a shiny new RH 7.1 box specifically for testing
snort.  It's got two NICs installed, eth0 sits on my private net, behind
the firewall, eth1 is connected to the external network, is up, but has
no IP configured on it - so-called stealth mode.

The external net is @home's network in my home area.  The whole deal looks
like this:

@home----cablemodem----hub-----....

Both my firewall and the eth1 i/f from the snort box are connected to that
hub.  Pretty normal configuration, based on my previous IDS experience,
mostly deploying RealSecure.

I started by building my own RPMs for libpcap-0.6.2, so I could dump the RH
0.4 version.  Then I built snort from the RPM provided on snort.org, with 
a few subtle changes (--enable-smbalerts --with-mysql --with-openssl).

Everything installed just swimmingly and SEEMS to be in working order.  Seems
indeed.  I'm using the vision rules from whitehats, so this config is not
exactly the "stock" configuration.  However, I see no reason for it not to
work:

var INTERNAL 24.a.b.c/32
var EXTERNAL !$INTERNAL
preprocessor defrag
preprocessor http_decode: 80
preprocessor portscan: $INTERNAL 5 5 /var/log/snort/portscan.log
preprocessor stream: timeout 23, ports 21 23 25 80 110 143, maxbytes 16384
output database: alert, mysql, dbname=snort host=localhost user=snort
output log_tcpdump: log.tcpdump
include /etc/snort/vision.rules

Currently, my init scripts invoke snort as:

/usr/sbin/snort -u snort -g snort -d -D -i eth1 -l /var/log/snort \
        -c /etc/snort/vision.conf

Having read elsewhere that -D supresses errors, I invoked it myself without 
the -D and get the following:

        --== Initializing Snort ==--

Initializing Network Interface eth1
WARNING: OpenPcap() device eth1 network lookup: 
        eth1: no IPv4 address assigned
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
database: compiled support for ( mysql postgresql )
database: configured to use mysql
database: database name = snort
database:          host = localhost
database:          user = snort
database:   sensor name = <sensor-name-removed>
database:     sensor id = 1
database: using the "alert" facility
533 Snort rules read...
533 Option Chains linked into 199 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->log->pass

        --== Initialization Complete ==--

This seems to indicate that snort's cool with logging to the database.
However, it never logs anything.  I created the database using the 
create_mysql script that came as a part of snort-1.7.tar.gz, I also added
the snortdb-extra stuff as well.  Bottom line is that nothing gets logged
to the database, nor do I get anything in the tcpdump logs either.

On another note, I also installed ACID 0.9.6b8, which seemed to go in without
any trouble, but also confirms no alerts are in the db.  ACID is also 
complaining about snort signatures not being in the database:

Database ERROR:Table 'snort.signature' doesn't exist

Thoughts?

-- 
Jason Costomiris <><           |  Technologist, geek, human.
jcostom {at} jasons {dot} org  |  http://www.jasons.org/ 
          Quidquid latine dictum sit, altum viditur.
                    My account, My opinions.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users