Snort mailing list archives
Help
From: Advanced Hosting UNIX Admin Daniel Fairchild <danielf () supportteam net>
Date: Sun, 5 Aug 2001 13:31:39 -0500
I am setting up snort 1.8 for the first time with database mysql logging and
snort does not work.
Here is my config with ips change :)
---------- MY CONFIG FILE --------------
# Start snort with:
# /usr/local/bin/snort -c /etc/snort.d/snort.conf -l /tcplog/snort -D -i eth1
-q
#
# Network variables.
var HOME_NET x.x.128.0/17 x.x.0.0/17 x.x.0.0/17 x.x.160.0/19
x.x.64.0/18
var EXTERNAL_NET any
# Servers
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
# Dns servers.
var DNS_SERVERS x.x.x.203/32 x.x.128.204/32 x.x.160.10/32
x.x.162.106/32
# detect porscans, connect to 6 ports over 3 seconds
preprocessor portscan: $HOME_NET 6 3 portscan.log
# Preprocessors
preprocessor frag2
preprocessor stream4
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor bo: -nobrute
preprocessor rpc_decode: 111
preprocessor telnet_decode
include classification.config
# Ignore DNS servers for false portscans
preprocessor portscan-ignorehosts: $DNS_SERVERS
# Configure output to database.
output database: alert, mysql, user=snort password=PASS dbname=snorth
ost=localhost detail=full
output alert_full: alert
# #
# RULE SETS TO INCLUDE #
# #
#include local_rules
include DDoS_rules
include Sploits_rules
include BackDoor_rules
include Rservices_rules
#include Test_rules
--------------- ENS CONFIG --------------
here is the out put from the command:
/usr/local/bin/snort -c /etc/snort.d/snort.conf -l /tcplog/snort -i eth0
--------------- OUTPUT ------------------
Log directory = /tcplog/snort
--== Initializing Snort ==--
Checking PID path...
PATH_VARRUN is set to /var/run/ on this operating system
Initializing Network Interface eth0
User level filter, protocol ALL, raw packet socket
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /etc/snort.d/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
No arguments to stream4 directive, setting defaults to:
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Stateful Inspection: ACTIVE
Stream Reassembly: INACTIVE
Stream Stats: INACTIVE
State Alerts: ACTIVE
No arguments to stream4_reassemble, setting defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time
UnifiedAlertFilename = snort.alert
Opening /tcplog/snort/0805 () 1326-snort log
909 Snort rules read...
909 Option Chains linked into 145 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Rule application order: ->activation->dynamic->alert->pass->log
--== Initialization Complete ==--
-*> Snort! <*-
Version 1.8-RELEASE (Build 43)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
----------------- ENS OUTPUT -------------------
My mysql works frin frm the command line the libs for it are in ld.so.conf
and ldconfig was run after making that change. Even if I remove the output
database: line I get nothing even though I pound on the server with tools
that should be setting off alarms.
what else can i sed you guys so you can hopefuly help me here.
thanks
--
Advanced Hosting UNIX Admin | Daniel Fairchild danielf () supportteam net
Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users