Re: PureSecure is crazy

[François Jan <fjan () wanadoo fr>]

Thanks a lot for answering.

unfortunately, the answer doesn't seem to match my situation. 
I just went through the links pointed out by Robin (thanks to him) but I
don't seem to match this situation either because I seem to be in the
situation of the solution 1. 

I will try to be more explicit this time so that maybe details that
don't seem relevant to me will give a clue to somebody. I fire psd on
the sensor by just calling /usr/local/puresecure/sensor/bin/psd and my
conf is  

My MySQL schema is 105. The server hosting the sensor and the database
is hanoi.

psd.conf:
-------------------------------------------
sid = "1"
this_is_the_main_sensor = "yes"
db_user  = "puresecure"
db_password = "<PASSWORD>"
db_host  = "hanoi"
db_name  = "snort"
db_port  = "3306"
...
run_snort_locally = "yes"
snort_binary_path = "/usr/sbin/snort"
snort_interface = "ppp0"
snort_options = ""
auto_update_snort_rules = "yes"
...
base_path = "/usr/local/puresecure/sensor"
...
--------------------------------------------

snortppp0.conf
--------------------------------------------
var HOME_NET $ppp0_ADDRESS
var EXTERNAL_NET !$HOME_NET
...
output database: alert, mysql, user=puresecure dbname=snort
sensor_name=hanoi sid=1 password=<PASSWORD> host=hanoi
...
...
---------------------------------------------

and here is my snort_output.log:
---------------------------------------------
 Log directory = /usr/local/puresecure/sensor/log/

Initializing Network Interface ppp0

        --== Initializing Snort ==--
Rule application order changed to Pass->Alert->Log
Decoding raw data on interface ppp0
Parsing Rules file /usr/local/puresecure/sensor/conf/snortppp0.conf
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports:
21 23 25 53 80 110 111 143 513
Using LOCAL time
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = puresecure
database: database name = snort
database:   sensor name = hanoi
database: password is set
database:          host = hanoi
database:     sensor id = 13
database: schema version = 105
database: using the "alert" facility

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
-------------------------------------------

and last psd.log:
-------------------------------------------
....
Tue Jun 18 23:27:20 2002   Appears to be an invalid ruleset / snort.conf
Tue Jun 18 23:27:20 2002   Finishing iteration # 41 , that took 0
seconds.
Tue Jun 18 23:32:21 2002   Starting iteration # 42 (5 min 1 sec since
the last run)
Tue Jun 18 23:32:21 2002   Appears to be an invalid ruleset / snort.conf
Tue Jun 18 23:32:22 2002   Finishing iteration # 42 , that took 1
seconds.
....
-------------------------------------------

Of course, I can give more information to anybody willing to help me.

François

Le mar 18/06/2002 à 16:17, Ian Macdonald a écrit :
> They introduced a couple extra arguments in the mysql output module to help
> solve this problem. In the snort.conf file make sure you have on the output
> line sensor_name=YOURSENSOR and sid=YOURSENSORID. My looks like
>
> output database: alert, mysql, user=snort dbname=snort
> sensor_name=SENSOR-NIC2 sid=1 password=SNORTPASSWORD host=localhost
>
>
> hope this helps
>
> Ian
> ----- Original Message -----
> From: "François Jan" <fjan () wanadoo fr>
> To: <snort-users () lists sourceforge net>
> Sent: Monday, June 17, 2002 5:48 PM
> Subject: [Snort-users] PureSecure is crazy
>
>
> > Hi,
> >
> > I tried to find the answer on this mailing-list but nobody seems to have
> > ran into the same problem as me so I'm gonna explain it in hope somebody
> > has a solution.
> >
> > I upgraded from demarc 1.05 to PureSecure 1.6 on a redhat 7.3.
> > I run snort on ppp0 on one server and the console on another computer.
> >
> > When I first started, I noticed a sensor I didn't know of. I deleted it
> > through the console but it keeps coming back with increasing sensor id.
> > I looked into MySQL but couldn't understand where this sensor comes
> > from.
> >
> > Since my psd.conf indicates sensorid = 1, I began to think about psd not
> > using psd.conf. Another point : if I change snort options in this same
> > file and I restart psd, it doesn't care about my options and uses the
> > "-o -N" default.
> >
> > my psd.conf file is in the place it should be
> > (/usr/local/puresecure/sensor/conf) and I really don't have a clue where
> > to start from.
> >
> > Thanks.
> >
> >
> > --
> > François Jan <fjan () wanadoo fr>
> >
> >
> > --------------------------------------------------------------------------
> --------------------------
> >                                      Sponsor's Message
> > --------------------------------------------------------------------------
> --------------------------
> >                       Bringing you mounds of caffeinated joy
> >                          >>>     http://thinkgeek.com/sf    <<<
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list
-- 
François Jan <fjan () wanadoo fr>


----------------------------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                   >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users