Snort mailing list archives
Re: snort woes
From: Phil Wood <cpw () lanl gov>
Date: Fri, 10 Aug 2001 23:15:49 -0600
Replace "log" with "alert" in the output database: conf specification Also, I take it when you go to the ACID web interface, that all looks good with the exception that all counters are zero? On Fri, Aug 10, 2001 at 11:45:43PM -0400, Jim Starke wrote:
Yes, I have read the RTFM and have tried everything that I could think of. ;-) Line wrapping may make this look screwy. I downloaded and compiled the most recent version of snort via cvs (Version 1.8.1-beta7 (Build 68)) just to make sure I had the latest version. I used the ./configure --with-mysql=/usr The problem I am having is that it is not logging to mysql or to the alerts file. I am not sure if it is because of a command line error on my part or what it is. Here are the rules that I am using for code red that I got off of incidents.org site: alert tcp any any -> any 80 (msg: "CodeRed Worm Defacement Sent"; flags:PA+; content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:16;) alert tcp any any <> any 80 (msg: "CodeRed IDA Overflow"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|";) alert tcp any any <> any 80 (msg: "CodeRed IDA Overflow"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F585858|";) alert tcp any any -> any 80 (msg: "Eeye Scanner for CodeRed"; dsize: 239; flags: A+; content:"|2F782e69 64613f41 41414141|"; depth:64;) snort.conf Maybe I have read wrong on how to set it up for the home net? :-( var HOME_NET [10.1.1.0/24,192.168.1.0/24] var EXTERNAL_NET any var SMTP $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS [207.44.96.129,204.186.0.202] preprocessor frag2 preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log output database: log, mysql, user=snort password=xxxxxxx dbname=snort host=localhost #Should this be active instead? I tried but nada. #ruletype redalert # { # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort password=xxxxxxx dbname=snort host=localhost # } include /etc/rules/exploit.rules include /etc/rules/scan.rules include /etc/rules/finger.rules include /etc/rules/ftp.rules include /etc/rules/telnet.rules include /etc/rules/smtp.rules include /etc/rules/rpc.rules include /etc/rules/rservices.rules include /etc/rules/backdoor.rules include /etc/rules/dos.rules include /etc/rules/ddos.rules include /etc/rules/dns.rules include /etc/rules/netbios.rules include /etc/rules/web-cgi.rules include /etc/rules/web-coldfusion.rules include /etc/rules/web-frontpage.rules include /etc/rules/web-iis.rules include /etc/rules/web-misc.rules include /etc/rules/sql.rules include /etc/rules/x11.rules include /etc/rules/icmp.rules include /etc/rules/shellcode.rules include /etc/rules/misc.rules include /etc/rules/policy.rules include /etc/rules/info.rules include /etc/rules/icmp-info.rules include /etc/rules/virus.rules include /etc/rules/local.rules Command line that I am using to start snort with. Promiscius mode doesn't appear to make any difference. I've tried it on and off. /var/snort/bin/snort -t /var/snort -u snort -g snort -c /etc/snort.conf -z est -l /log -i eth1 -p Snort responds with this and everything looks good so far. Log directory = /log --== Initializing Snort ==-- Checking PID path... PATH_VARRUN is set to /var/run/ on this operating system Initializing Network Interface eth1 Kernel filter, protocol ALL, raw packet socket Decoding Ethernet on interface eth1 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file /etc/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Back Orifice detection brute force: DISABLED Using LOCAL time database: compiled support for ( mysql postgresql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = localhost database: sensor name = 10.1.1.1 database: sensor id = 1 database: schema version = 103 database: using the "log" facility 1151 Snort rules read... 1151 Option Chains linked into 989 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: ->activation->dynamic->alert->pass->log --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.1-beta7 (Build 68) By Martin Roesch (roesch () sourcefire com, www.snort.org) And I let it run. I watch some scans and probes hit my machine and I check the mysql database, nothing has been entered into the event table. I check the alert file, nothing there either. I watched half a dozen code red probes hit my web server and nada in the snort alert file or in the mysql database... Since I have very little hair left and what I do have has turned white, can someone point out where I have messed up? fyi: I am running snort in a chroot jail. Thanks in advance. Jim -- Quidquid latine dictum sit, altum viditur. http://www.jcsmall.com/homepage _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort woes Jim Starke (Aug 10)
- Re: snort woes Phil Wood (Aug 10)
- Re: snort woes Jim Starke (Aug 11)
- Re: snort woes J. C. Woods (Aug 11)
- Re: snort woes Jed Pickel (Aug 11)
- Re: snort woes Jim Starke (Aug 11)
- Re: snort woes Jim Starke (Aug 11)
- Re: snort woes Phil Wood (Aug 10)
- Re: snort woes (update) Jim Starke (Aug 11)
- RE: snort woes (update) John Berkers (Aug 11)
- Re: snort woes (update) Jim Starke (Aug 11)
- RE: snort woes (update) John Berkers (Aug 11)
- RE: snort woes (update) John Berkers (Aug 11)