Snort mailing list archives
Re: PureSecure is crazy
From: François Jan <fjan () wanadoo fr>
Date: 18 Jun 2002 23:54:02 +0200
Thanks a lot for answering. unfortunately, the answer doesn't seem to match my situation. I just went through the links pointed out by Robin (thanks to him) but I don't seem to match this situation either because I seem to be in the situation of the solution 1. I will try to be more explicit this time so that maybe details that don't seem relevant to me will give a clue to somebody. I fire psd on the sensor by just calling /usr/local/puresecure/sensor/bin/psd and my conf is My MySQL schema is 105. The server hosting the sensor and the database is hanoi. psd.conf: ------------------------------------------- sid = "1" this_is_the_main_sensor = "yes" db_user = "puresecure" db_password = "<PASSWORD>" db_host = "hanoi" db_name = "snort" db_port = "3306" ... run_snort_locally = "yes" snort_binary_path = "/usr/sbin/snort" snort_interface = "ppp0" snort_options = "" auto_update_snort_rules = "yes" ... base_path = "/usr/local/puresecure/sensor" ... -------------------------------------------- snortppp0.conf -------------------------------------------- var HOME_NET $ppp0_ADDRESS var EXTERNAL_NET !$HOME_NET ... output database: alert, mysql, user=puresecure dbname=snort sensor_name=hanoi sid=1 password=<PASSWORD> host=hanoi ... ... --------------------------------------------- and here is my snort_output.log: --------------------------------------------- Log directory = /usr/local/puresecure/sensor/log/ Initializing Network Interface ppp0 --== Initializing Snort ==-- Rule application order changed to Pass->Alert->Log Decoding raw data on interface ppp0 Parsing Rules file /usr/local/puresecure/sensor/conf/snortppp0.conf Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Ports: 21 23 25 53 80 110 111 143 513 Using LOCAL time database: compiled support for ( mysql ) database: configured to use mysql database: user = puresecure database: database name = snort database: sensor name = hanoi database: password is set database: host = hanoi database: sensor id = 13 database: schema version = 105 database: using the "alert" facility --== Initialization Complete ==-- -*> Snort! <*- Version 1.8.6 (Build 105) By Martin Roesch (roesch () sourcefire com, www.snort.org) ------------------------------------------- and last psd.log: ------------------------------------------- .... Tue Jun 18 23:27:20 2002 Appears to be an invalid ruleset / snort.conf Tue Jun 18 23:27:20 2002 Finishing iteration # 41 , that took 0 seconds. Tue Jun 18 23:32:21 2002 Starting iteration # 42 (5 min 1 sec since the last run) Tue Jun 18 23:32:21 2002 Appears to be an invalid ruleset / snort.conf Tue Jun 18 23:32:22 2002 Finishing iteration # 42 , that took 1 seconds. .... ------------------------------------------- Of course, I can give more information to anybody willing to help me. François Le mar 18/06/2002 à 16:17, Ian Macdonald a écrit :
They introduced a couple extra arguments in the mysql output module to help solve this problem. In the snort.conf file make sure you have on the output line sensor_name=YOURSENSOR and sid=YOURSENSORID. My looks like output database: alert, mysql, user=snort dbname=snort sensor_name=SENSOR-NIC2 sid=1 password=SNORTPASSWORD host=localhost hope this helps Ian ----- Original Message ----- From: "François Jan" <fjan () wanadoo fr> To: <snort-users () lists sourceforge net> Sent: Monday, June 17, 2002 5:48 PM Subject: [Snort-users] PureSecure is crazyHi, I tried to find the answer on this mailing-list but nobody seems to have ran into the same problem as me so I'm gonna explain it in hope somebody has a solution. I upgraded from demarc 1.05 to PureSecure 1.6 on a redhat 7.3. I run snort on ppp0 on one server and the console on another computer. When I first started, I noticed a sensor I didn't know of. I deleted it through the console but it keeps coming back with increasing sensor id. I looked into MySQL but couldn't understand where this sensor comes from. Since my psd.conf indicates sensorid = 1, I began to think about psd not using psd.conf. Another point : if I change snort options in this same file and I restart psd, it doesn't care about my options and uses the "-o -N" default. my psd.conf file is in the place it should be (/usr/local/puresecure/sensor/conf) and I really don't have a clue where to start from. Thanks. -- François Jan <fjan () wanadoo fr> ----------------------------------------------------------------------------------------------------Sponsor's Message ----------------------------------------------------------------------------------------------------Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-- François Jan <fjan () wanadoo fr> ---------------------------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PureSecure is crazy François Jan (Jun 17)
- Re: PureSecure is crazy Ian Macdonald (Jun 18)
- Re: PureSecure is crazy François Jan (Jun 18)
- <Possible follow-ups>
- RE: PureSecure is crazy Robin Brown (Jun 18)
- Re: PureSecure is crazy Ian Macdonald (Jun 18)