Snort mailing list archives
help
From: Lance Barisdale <lbarisdale () ntscorp com>
Date: Thu, 30 May 2002 09:39:58 -0700
-----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Thursday, May 30, 2002 2:11 AM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #1922 - 6 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. RE: Bandwidth Information (Kreimendahl, Chad J) 2. Re: sorry...upgrade question again (Hugo Ferr) 3. Snort > mysql > acid - timestamp troubles (Rose, Jerry L SAJ Contractor) 4. RE: sorry...upgrade question again (Adam Migus) 5. AW: [Snort-users] Snort > mysql > acid - timestamp troubles (Poppi, Sandro) 6. AW: [Snort-users] (no subject) (Poppi, Sandro) --__--__-- Message: 1 From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> To: "'Erek Adams'" <erek () theadamsfamily net>, Cooper Arthur B Contr WCOM <art.cooper () schriever af mil> Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Bandwidth Information Date: Wed, 29 May 2002 14:07:43 -0500 Actually, along those lines, there is a very easy way to it... (Erek not crack head). If you have more patience... Set up RRDTool to monitor the front and back sides... And use RRDs math to calculate the difference. I think it's possible to do this with MRTG, but have never tried. I KNOW it's possible with RRD, because we currently create those types of graphs. Of course, it doesn't actually tell us how much traffic were actual attacks that snort alerted... But just knowing how much data our firewalls block is a better indicator of what you call 'wasted' bandwidth. -----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Wednesday, May 29, 2002 1:22 PM To: Cooper Arthur B Contr WCOM Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Bandwidth Information On Wed, 29 May 2002, Cooper Arthur B Contr WCOM wrote:
Does anyone know of an "add-on" or PERL script that can do some "ciphering" for me and tell me what percentage of my bandwidth is generating alerts with SNORT? I have a snort server set-up on a SPANNED 100 MBS/Full-Duplex port that feeds the internal LAN of a large US Military installation. I absolutely LOVE SNORT, but now that I see all of the crazy stuff being thrown at us via the Net, I was wondering if there was a way to show what percentage of our bandwidth is literally being wasted by the amount of cmd.exe, code red, SQL Worm 1433 stuff etc. etc. that is coming in here and "banging" my firewalls. THANKS!!
Well, the first thing that comes to mind is to use MRTG on your router and firewall. Using that, measure the amount of incoming traffic from the router. Then measure the amount of traffic that "leaves" your firewall--If it goes thru your firewall, it should be legitimate traffic, right? Subtract number one from number two, and you should have a rough idea of how much 'wasted' bandwith you have. But of course, I haven't had my coffee yet--So I could be entirely crackheaded. :) Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 2 From: "Hugo Ferr" <snortgrp () hotmail com> To: "Erek Adams" <erek () theadamsfamily net> Cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] sorry...upgrade question again Date: Wed, 29 May 2002 16:03:47 -0400 I think it would be easier to do a fresh new install :-) Do you know if mysql db schema should be upgraded for 1.8.6? ----- Original Message ----- From: "Erek Adams" <erek () theadamsfamily net> To: "Hugo Ferr" <snortgrp () hotmail com> Cc: <snort-users () lists sourceforge net> Sent: Tuesday, May 28, 2002 4:10 PM Subject: Re: [Snort-users] sorry...upgrade question again
On Tue, 28 May 2002, Hugo Ferr wrote:I searched snort users manual, faq, install and readme files and
couldn't
find any normal documentation regarding how to upgrade snort 18.2 to
8.6. If
anyone can point my out to such documentation or can give me at lease
some
hints ( if i should upgrade mysql db schema, can I save my local.rules
and
copy them back to the new installation, etc).....Well.... If you were to check the mailing list archives, you would have
found
this post from 05/15/02: http://marc.theaimsgroup.com/?l=snort-users&m=102150676218555&w=2 Now the sad part is, I got _no_ feedback on that at all. None.... Anyways, have a look at that and see if it helps any. Those are the base steps that I follow. It doesn't cover everything (ACID and such), but it should hit all the bases.P.S.Special Thanks to Adam Migus for giving the RTFM-STFW-attitude.He might have been trying to save you from having to take any penalty drinks[0]. ;-) Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net [0] http://www.theadamsfamily.net/~erek/snort/drinking_game.txt _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__--
Message: 3
From: "Rose, Jerry L SAJ Contractor" <Jerry.L.Rose () saj02 usace army mil>
To: "'snort-users () lists sourceforge net'"
<snort-users () lists sourceforge net>
Date: Wed, 29 May 2002 14:01:00 -0500
Subject: [Snort-users] Snort > mysql > acid - timestamp troubles
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C20743.2C108A80
Content-Type: text/plain;
charset="iso-8859-1"
Here's the problem. I've got alerts being logged
with timestamps later than the current time (approx.
4 hours into the future). I'm running ntpd on all
three servers. I've run the "date" command on all
three servers to visually verify the proper date
and time is set on all three servers. I've cranked
up "#snort -v" then "ctrl-c" and the timestamps are
correct on standard out.
Here's some server specific info...
+++++++++++++++++++++++++++++++++++++++++++++++
I'm running a.....
LINUX RH 7.2 NIDS sensor running
Snort Version 1.8.6 (Build 105)
that is writing alerts to a.....
LINUX RH 7.2 mysql server
VERSION 3.23.49a
that is serving data to a.....
LINUX RH 7.2 apache server
version 1.3.22
PHP 4.2.0
gd-1.8.4
adodb Library for PHP4
phplot-4.4.6
+++++++++++++++++++++++++++++++++++++++++++++++
Here's a couple of query results to illustrate my problem.
Notice the timestamps...
======================================================
mysql> select * from event;
<<<<< many cut lines >>>>>
| 1 | 12263 | 11 | 2002-05-29 18:09:54 |
| 1 | 12264 | 11 | 2002-05-29 18:09:54 |
| 1 | 12265 | 11 | 2002-05-29 18:09:54 |
| 1 | 12266 | 38 | 2002-05-29 18:10:10 |
| 1 | 12267 | 11 | 2002-05-29 18:18:46 |
| 1 | 12268 | 11 | 2002-05-29 18:18:46 |
+-----+-------+-----------+---------------------+
11761 rows in set (0.05 sec)
mysql> SELECT VERSION(); SELECT NOW();
+-----------+
| VERSION() |
+-----------+
| 3.23.49a |
+-----------+
1 row in set (0.00 sec)
+---------------------+
| NOW() |
+---------------------+
| 2002-05-29 14:27:30 |
+---------------------+
1 row in set (0.00 sec)
mysql>
======================================================
The now time is "2002-05-29 14:27:30" but
the last logged alert time is "2002-05-29 18:18:46".
Any ideas would be greatly appreciated.
Thanks,
Jerry Rose
------_=_NextPart_001_01C20743.2C108A80
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>Snort > mysql > acid - timestamp troubles</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Here's the problem. I've got alerts being logged </FONT>
<BR><FONT SIZE=2>with timestamps later than the current time (approx.
</FONT>
<BR><FONT SIZE=2>4 hours into the future). I'm running ntpd on all </FONT>
<BR><FONT SIZE=2>three servers. I've run the "date" command on all
</FONT>
<BR><FONT SIZE=2>three servers to visually verify the proper date </FONT>
<BR><FONT SIZE=2>and time is set on all three servers. I've cranked </FONT>
<BR><FONT SIZE=2>up "#snort -v" then "ctrl-c" and the
timestamps are </FONT>
<BR><FONT SIZE=2>correct on standard out.</FONT>
</P>
<P><FONT SIZE=2>Here's some server specific info...</FONT>
<BR><FONT SIZE=2>+++++++++++++++++++++++++++++++++++++++++++++++</FONT>
<BR><FONT SIZE=2>I'm running a.....</FONT>
<BR><FONT SIZE=2>LINUX RH 7.2 NIDS sensor running</FONT>
<BR><FONT SIZE=2>Snort Version 1.8.6 (Build 105)</FONT>
</P>
<P><FONT SIZE=2>that is writing alerts to a.....</FONT>
<BR><FONT SIZE=2>LINUX RH 7.2 mysql server</FONT>
<BR><FONT SIZE=2>VERSION 3.23.49a</FONT>
</P>
<P><FONT SIZE=2>that is serving data to a.....</FONT>
<BR><FONT SIZE=2>LINUX RH 7.2 apache server</FONT>
<BR><FONT SIZE=2>version 1.3.22</FONT>
<BR><FONT SIZE=2>PHP 4.2.0</FONT>
<BR><FONT SIZE=2>gd-1.8.4</FONT>
<BR><FONT SIZE=2>adodb Library for PHP4</FONT>
<BR><FONT SIZE=2>phplot-4.4.6</FONT>
<BR><FONT SIZE=2>+++++++++++++++++++++++++++++++++++++++++++++++</FONT>
</P>
<P><FONT SIZE=2>Here's a couple of query results to illustrate my
problem.</FONT>
<BR><FONT SIZE=2>Notice the timestamps...</FONT>
<BR><FONT
SIZE=2>======================================================</FONT>
<BR><FONT SIZE=2>mysql> select * from event;</FONT>
<BR><FONT SIZE=2><<<<< many cut lines
>>>>></FONT>
<BR><FONT SIZE=2>| 1 | 12263
| 11 | 2002-05-29 18:09:54
|</FONT>
<BR><FONT SIZE=2>| 1 | 12264
| 11 | 2002-05-29 18:09:54
|</FONT>
<BR><FONT SIZE=2>| 1 | 12265
| 11 | 2002-05-29 18:09:54
|</FONT>
<BR><FONT SIZE=2>| 1 | 12266
| 38 | 2002-05-29 18:10:10
|</FONT>
<BR><FONT SIZE=2>| 1 | 12267
| 11 | 2002-05-29 18:18:46
|</FONT>
<BR><FONT SIZE=2>| 1 | 12268
| 11 | 2002-05-29 18:18:46
|</FONT>
<BR><FONT SIZE=2>+-----+-------+-----------+---------------------+</FONT>
<BR><FONT SIZE=2>11761 rows in set (0.05 sec)</FONT>
</P>
<P><FONT SIZE=2>mysql> SELECT VERSION(); SELECT NOW();</FONT>
<BR><FONT SIZE=2>+-----------+</FONT>
<BR><FONT SIZE=2>| VERSION() |</FONT>
<BR><FONT SIZE=2>+-----------+</FONT>
<BR><FONT SIZE=2>| 3.23.49a |</FONT>
<BR><FONT SIZE=2>+-----------+</FONT>
<BR><FONT SIZE=2>1 row in set (0.00 sec)</FONT>
</P>
<P><FONT SIZE=2>+---------------------+</FONT>
<BR><FONT SIZE=2>|
NOW()  
; |</FONT>
<BR><FONT SIZE=2>+---------------------+</FONT>
<BR><FONT SIZE=2>| 2002-05-29 14:27:30 |</FONT>
<BR><FONT SIZE=2>+---------------------+</FONT>
<BR><FONT SIZE=2>1 row in set (0.00 sec)</FONT>
</P>
<P><FONT SIZE=2>mysql></FONT>
<BR><FONT
SIZE=2>======================================================</FONT>
<BR><FONT SIZE=2>The now time is "2002-05-29 14:27:30" but </FONT>
<BR><FONT SIZE=2>the last logged alert time is "2002-05-29
18:18:46". </FONT>
</P>
<P><FONT SIZE=2>Any ideas would be greatly appreciated.</FONT>
</P>
<P><FONT SIZE=2>Thanks,</FONT>
<BR><FONT SIZE=2>Jerry Rose</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C20743.2C108A80--
--__--__--
Message: 4
From: "Adam Migus" <amigus () tislabs com>
To: "Hugo Ferr" <snortgrp () hotmail com>, "Erek Adams"
<erek () theadamsfamily net>
Cc: <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] sorry...upgrade question again
Date: Wed, 29 May 2002 22:23:47 -0400
Hugo et al,
I would like to apologize for my previous post. I had a really bad day and
took it out on you and this list. That was bad form indeed. So please
accept my apologies. While I think that some users on this list may have
partially agreed with my post I don't think the way I worded it was
warranted. Also you were right -- there are no references to upgrading in
the documentation that I pointed you at (as far as I know). The point I was
trying to make was that if you did sit down and read through those things as
well as the list archives you might be able to put together a more
meaningful post. Again my apologies.
Adam
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Hugo Ferr
Sent: Wednesday, May 29, 2002 4:04 PM
To: Erek Adams
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] sorry...upgrade question again
I think it would be easier to do a fresh new install :-)
Do you know if mysql db schema should be upgraded for 1.8.6?
----- Original Message -----
From: "Erek Adams" <erek () theadamsfamily net>
To: "Hugo Ferr" <snortgrp () hotmail com>
Cc: <snort-users () lists sourceforge net>
Sent: Tuesday, May 28, 2002 4:10 PM
Subject: Re: [Snort-users] sorry...upgrade question again
On Tue, 28 May 2002, Hugo Ferr wrote:I searched snort users manual, faq, install and readme files and
couldn't
find any normal documentation regarding how to upgrade snort 18.2 to
8.6. If
anyone can point my out to such documentation or can give me at lease
some
hints ( if i should upgrade mysql db schema, can I save my local.rules
and
copy them back to the new installation, etc).....Well.... If you were to check the mailing list archives, you would have
found
this post from 05/15/02: http://marc.theaimsgroup.com/?l=snort-users&m=102150676218555&w=2 Now the sad part is, I got _no_ feedback on that at all. None.... Anyways, have a look at that and see if it helps any. Those are the base steps that I follow. It doesn't cover everything (ACID and such), but it should hit all the bases.P.S.Special Thanks to Adam Migus for giving the RTFM-STFW-attitude.He might have been trying to save you from having to take any penalty drinks[0]. ;-) Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net [0] http://www.theadamsfamily.net/~erek/snort/drinking_game.txt _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users --__--__-- Message: 5 From: "Poppi, Sandro" <Sandro.Poppi () wacker com> To: "'Rose, Jerry L SAJ Contractor'" <Jerry.L.Rose () saj02 usace army mil>, "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Subject: AW: [Snort-users] Snort > mysql > acid - timestamp troubles Date: Thu, 30 May 2002 11:00:05 +0200 This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C207B8.645BF440 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Just a thought: Did you set the same timezone on all boxes? I ran into = that some time ago. With RedHat timeconfig should help. =20 HTH, Sandro=20 -----Urspr=FCngliche Nachricht----- Von: Rose, Jerry L SAJ Contractor = [mailto:Jerry.L.Rose () saj02 usace army mil] Gesendet: Mittwoch, 29. Mai 2002 21:01 An: 'snort-users () lists sourceforge net' Betreff: [Snort-users] Snort > mysql > acid - timestamp troubles Here's the problem. I've got alerts being logged=20 with timestamps later than the current time (approx.=20 4 hours into the future). I'm running ntpd on all=20 three servers. I've run the "date" command on all=20 three servers to visually verify the proper date=20 and time is set on all three servers. I've cranked=20 up "#snort -v" then "ctrl-c" and the timestamps are=20 correct on standard out.=20 Here's some server specific info...=20 +++++++++++++++++++++++++++++++++++++++++++++++=20 I'm running a.....=20 LINUX RH 7.2 NIDS sensor running=20 Snort Version 1.8.6 (Build 105)=20 that is writing alerts to a.....=20 LINUX RH 7.2 mysql server=20 VERSION 3.23.49a=20 that is serving data to a.....=20 LINUX RH 7.2 apache server=20 version 1.3.22=20 PHP 4.2.0=20 gd-1.8.4=20 adodb Library for PHP4=20 phplot-4.4.6=20 +++++++++++++++++++++++++++++++++++++++++++++++=20 Here's a couple of query results to illustrate my problem.=20 Notice the timestamps...=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=20 mysql> select * from event;=20 <<<<< many cut lines >>>>>=20 | 1 | 12263 | 11 | 2002-05-29 18:09:54 |=20 | 1 | 12264 | 11 | 2002-05-29 18:09:54 |=20 | 1 | 12265 | 11 | 2002-05-29 18:09:54 |=20 | 1 | 12266 | 38 | 2002-05-29 18:10:10 |=20 | 1 | 12267 | 11 | 2002-05-29 18:18:46 |=20 | 1 | 12268 | 11 | 2002-05-29 18:18:46 |=20 +-----+-------+-----------+---------------------+=20 11761 rows in set (0.05 sec)=20 mysql> SELECT VERSION(); SELECT NOW();=20 +-----------+=20 | VERSION() |=20 +-----------+=20 | 3.23.49a |=20 +-----------+=20 1 row in set (0.00 sec)=20 +---------------------+=20 | NOW() |=20 +---------------------+=20 | 2002-05-29 14:27:30 |=20 +---------------------+=20 1 row in set (0.00 sec)=20 mysql>=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=20 The now time is "2002-05-29 14:27:30" but=20 the last logged alert time is "2002-05-29 18:18:46".=20 Any ideas would be greatly appreciated.=20 Thanks,=20 Jerry Rose=20 ------_=_NextPart_001_01C207B8.645BF440 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <TITLE>Snort > mysql > acid - timestamp troubles</TITLE> <META content=3D"MSHTML 5.00.2919.6307" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D853585708-30052002>Just a=20 thought: Did you set the same timezone on all boxes? I ran into = that some=20 time ago. With RedHat timeconfig should help.</SPAN></FONT></DIV> <DIV> </DIV> <P><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D853585708-30052002>HTH,</SPAN></FONT></P> <P><SPAN class=3D853585708-30052002></SPAN><SPAN = class=3D853585708-30052002><FONT=20 color=3D#0000ff face=3DArial size=3D2>Sandro</FONT></SPAN> </P> <BLOCKQUOTE=20 style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; = MARGIN-RIGHT: 0px; PADDING-LEFT: 5px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Urspr=FCngliche Nachricht-----<BR><B>Von:</B> Rose, = Jerry L SAJ=20 Contractor = [mailto:Jerry.L.Rose () saj02 usace army mil]<BR><B>Gesendet:</B>=20 Mittwoch, 29. Mai 2002 21:01<BR><B>An:</B>=20 'snort-users () lists sourceforge net'<BR><B>Betreff:</B> [Snort-users] = Snort=20 > mysql > acid - timestamp troubles<BR><BR></DIV></FONT> <P><FONT size=3D2>Here's the problem. I've got alerts being logged=20 </FONT><BR><FONT size=3D2>with timestamps later than the current time = (approx.=20 </FONT><BR><FONT size=3D2>4 hours into the future). I'm running ntpd = on all=20 </FONT><BR><FONT size=3D2>three servers. I've run the "date" command = on all=20 </FONT><BR><FONT size=3D2>three servers to visually verify the proper = date=20 </FONT><BR><FONT size=3D2>and time is set on all three servers. I've = cranked=20 </FONT><BR><FONT size=3D2>up "#snort -v" then "ctrl-c" and the = timestamps are=20 </FONT><BR><FONT size=3D2>correct on standard out.</FONT> </P> <P><FONT size=3D2>Here's some server specific info...</FONT> = <BR><FONT=20 size=3D2>+++++++++++++++++++++++++++++++++++++++++++++++</FONT> = <BR><FONT=20 size=3D2>I'm running a.....</FONT> <BR><FONT size=3D2>LINUX RH 7.2 = NIDS sensor=20 running</FONT> <BR><FONT size=3D2>Snort Version 1.8.6 (Build = 105)</FONT> </P> <P><FONT size=3D2>that is writing alerts to a.....</FONT> <BR><FONT = size=3D2>LINUX=20 RH 7.2 mysql server</FONT> <BR><FONT size=3D2>VERSION 3.23.49a</FONT> = </P> <P><FONT size=3D2>that is serving data to a.....</FONT> <BR><FONT = size=3D2>LINUX=20 RH 7.2 apache server</FONT> <BR><FONT size=3D2>version 1.3.22</FONT> = <BR><FONT=20 size=3D2>PHP 4.2.0</FONT> <BR><FONT size=3D2>gd-1.8.4</FONT> = <BR><FONT=20 size=3D2>adodb Library for PHP4</FONT> <BR><FONT = size=3D2>phplot-4.4.6</FONT>=20 <BR><FONT = size=3D2>+++++++++++++++++++++++++++++++++++++++++++++++</FONT> </P> <P><FONT size=3D2>Here's a couple of query results to illustrate my=20 problem.</FONT> <BR><FONT size=3D2>Notice the timestamps...</FONT> = <BR><FONT=20 = size=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D</FONT> <BR><FONT=20 size=3D2>mysql> select * from event;</FONT> <BR><FONT=20 size=3D2><<<<< many cut lines = >>>>></FONT>=20 <BR><FONT size=3D2>| 1 | 12263=20 | 11 | 2002-05-29 18:09:54 = |</FONT>=20 <BR><FONT size=3D2>| 1 | 12264=20 | 11 | 2002-05-29 18:09:54 = |</FONT>=20 <BR><FONT size=3D2>| 1 | 12265=20 | 11 | 2002-05-29 18:09:54 = |</FONT>=20 <BR><FONT size=3D2>| 1 | 12266=20 | 38 | 2002-05-29 18:10:10 = |</FONT>=20 <BR><FONT size=3D2>| 1 | 12267=20 | 11 | 2002-05-29 18:18:46 = |</FONT>=20 <BR><FONT size=3D2>| 1 | 12268=20 | 11 | 2002-05-29 18:18:46 = |</FONT>=20 <BR><FONT = size=3D2>+-----+-------+-----------+---------------------+</FONT>=20 <BR><FONT size=3D2>11761 rows in set (0.05 sec)</FONT> </P> <P><FONT size=3D2>mysql> SELECT VERSION(); SELECT NOW();</FONT> = <BR><FONT=20 size=3D2>+-----------+</FONT> <BR><FONT size=3D2>| VERSION() |</FONT> = <BR><FONT=20 size=3D2>+-----------+</FONT> <BR><FONT size=3D2>| 3.23.49a = |</FONT>=20 <BR><FONT size=3D2>+-----------+</FONT> <BR><FONT size=3D2>1 row in = set (0.00=20 sec)</FONT> </P> <P><FONT size=3D2>+---------------------+</FONT> <BR><FONT size=3D2>| = = NOW() &= nbsp; =20 |</FONT> <BR><FONT size=3D2>+---------------------+</FONT> <BR><FONT = size=3D2>|=20 2002-05-29 14:27:30 |</FONT> <BR><FONT = size=3D2>+---------------------+</FONT>=20 <BR><FONT size=3D2>1 row in set (0.00 sec)</FONT> </P> <P><FONT size=3D2>mysql></FONT> <BR><FONT=20 = size=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D</FONT> <BR><FONT=20 size=3D2>The now time is "2002-05-29 14:27:30" but </FONT><BR><FONT = size=3D2>the=20 last logged alert time is "2002-05-29 18:18:46". </FONT></P> <P><FONT size=3D2>Any ideas would be greatly appreciated.</FONT> </P> <P><FONT size=3D2>Thanks,</FONT> <BR><FONT size=3D2>Jerry Rose</FONT> = </P></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C207B8.645BF440-- --__--__-- Message: 6 From: "Poppi, Sandro" <Sandro.Poppi () wacker com> To: "'John Maestrale'" <jmaestrale () NBME org>, "Snort-Users (E-mail)" <snort-users () lists sourceforge net> Subject: AW: [Snort-users] (no subject) Date: Thu, 30 May 2002 11:09:47 +0200 Do you get any error messages of snort in syslog? I and of course a lot of others run more than 2 sensors logging into a single mysql database and ACID works very well. Please also post infos about plattform, program versions, configs etc. so we can help you out. One hint may be: Did you define the second sensor on the db? This is what I often forget and get "Access denied" on the sensor's syslog. So long, Sandro
Two sensors one acid database. Anyone done it? Can't connect 2nd sensor to remote database. Thanks, John Maestrale,SSCP _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest