Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort woes

From: Phil Wood <cpw () lanl gov>
Date: Fri, 10 Aug 2001 23:15:49 -0600
Replace "log" with "alert" in the output database: conf specification

Also, I take it when you go to the ACID web interface, that all looks good
with the exception that all counters are zero?

On Fri, Aug 10, 2001 at 11:45:43PM -0400, Jim Starke wrote:

Yes, I have read the RTFM and have tried everything that I could think 
of. ;-) Line wrapping may make this look screwy.

I downloaded and compiled the most recent version of snort via cvs 
(Version 1.8.1-beta7 (Build 68)) just to make sure I had the latest 
version. I used the ./configure --with-mysql=/usr

The problem I am having is that it is not logging to mysql or to the 
alerts file. I am not sure if it is because of a command line error on 
my part or what it is.

Here are the rules that I am using for code red that I got off of 
incidents.org site:

alert tcp any any -> any 80 (msg: "CodeRed Worm Defacement Sent"; 
flags:PA+; content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:16;)

alert tcp any any <> any 80 (msg: "CodeRed IDA Overflow"; dsize: >239; 
flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|";)

alert tcp any any <> any 80 (msg: "CodeRed IDA Overflow"; dsize: >239; 
flags: A+; content:"|2F646566 61756C74 2E696461 3F585858|";)

alert tcp any any -> any 80 (msg: "Eeye Scanner for CodeRed"; dsize: 
239; flags: A+; content:"|2F782e69 64613f41 41414141|"; depth:64;)

snort.conf

Maybe I have read wrong on how to set it up for the home net? :-(

var HOME_NET [10.1.1.0/24,192.168.1.0/24]
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS [207.44.96.129,204.186.0.202]
preprocessor frag2
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
output database: log, mysql, user=snort password=xxxxxxx dbname=snort 
host=localhost
#Should this be active instead? I tried but nada.
#ruletype redalert
# {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort password=xxxxxxx 
dbname=snort host=localhost
# }
include /etc/rules/exploit.rules
include /etc/rules/scan.rules
include /etc/rules/finger.rules
include /etc/rules/ftp.rules
include /etc/rules/telnet.rules
include /etc/rules/smtp.rules
include /etc/rules/rpc.rules
include /etc/rules/rservices.rules
include /etc/rules/backdoor.rules
include /etc/rules/dos.rules
include /etc/rules/ddos.rules
include /etc/rules/dns.rules
include /etc/rules/netbios.rules
include /etc/rules/web-cgi.rules
include /etc/rules/web-coldfusion.rules
include /etc/rules/web-frontpage.rules
include /etc/rules/web-iis.rules
include /etc/rules/web-misc.rules
include /etc/rules/sql.rules
include /etc/rules/x11.rules
include /etc/rules/icmp.rules
include /etc/rules/shellcode.rules
include /etc/rules/misc.rules
include /etc/rules/policy.rules
include /etc/rules/info.rules
include /etc/rules/icmp-info.rules
include /etc/rules/virus.rules
include /etc/rules/local.rules

Command line that I am using to start snort with. Promiscius mode 
doesn't appear to make any difference. I've tried it on and off.

/var/snort/bin/snort -t /var/snort -u snort -g snort -c /etc/snort.conf 
-z est -l /log -i eth1 -p

Snort responds with this and everything looks good so far.

Log directory = /log

         --== Initializing Snort ==--
Checking PID path...
PATH_VARRUN is set to /var/run/ on this operating system

Initializing Network Interface eth1
Kernel filter, protocol ALL, raw packet socket
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
     Fragment timeout: 60 seconds
     Fragment memory cap: 4194304 bytes
Stream4 config:
     Stateful inspection: ACTIVE
     Session statistics: INACTIVE
     Session timeout: 30 seconds
     Session memory cap: 8388608 bytes
     State alerts: INACTIVE
     Scan alerts: ACTIVE
No arguments to stream4_reassemble, setting defaults:
      Reassemble client: ACTIVE
      Reassemble server: INACTIVE
      Reassemble ports: 21 23 25 53 80 143 110 111 513
      Reassembly alerts: ACTIVE
Back Orifice detection brute force: DISABLED
Using LOCAL time
database: compiled support for ( mysql postgresql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = 10.1.1.1
database:     sensor id = 1
database: schema version = 103
database: using the "log" facility
1151 Snort rules read...
1151 Option Chains linked into 989 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

         --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.1-beta7 (Build 68)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

And I let it run. I watch some scans and probes hit my machine and I 
check the mysql database, nothing has been entered into the event table. 
I check the alert file, nothing there either. I watched half a dozen 
code red probes hit my web server and nada in the snort alert file or in 
the mysql database...

Since I have very little hair left and what I do have has turned white, 
can someone point out where I have messed up?

fyi: I am running snort in a chroot jail.

Thanks in advance.

Jim

-- 
Quidquid latine dictum sit, altum viditur.
http://www.jcsmall.com/homepage


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: