Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort, php, MySQL and acid showing no activity

From: "Joshua Rogers" <josh () ipws com>
Date: Fri, 23 Aug 2002 14:52:19 -0600
Hi All,
Erek Adams, answers to your questions are below. Rafeeq Ur Rehman, I have
not yet tested your idea. Demetri Mouratis, I will get to your questions
next. Thanks everyone so far!


From / To Gammon McClure:
Not to be asking stupid questions, but are you in a switched environment?

Yes, we are in a switched enviroment. We are running an HP 4000M which
allows me to mirror all traffic (on a given vlan) to a specific port, which
I have done. Not a stupid question, but I caught that issue in the docs.


can you get alerts to the console (other than broadcast) running just

snort -dv
Yes, here is the output. Similar output on 'snort -vade' but I did not copy
it here.

Snort analyzed 69 out of 69 packets, The kernel dropped 0(0.000%) packets
Breakdown by protocol:                Action Stats:
    TCP: 69         (100.000%)         ALERTS: 0
    UDP: 0          (0.000%)          LOGGED: 0
   ICMP: 0          (0.000%)          PASSED: 0
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
============================================================================
===
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
    Fragment Trackers: 0
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 0
  Frag2 memory faults: 0
============================================================================
===
TCP Stream Reassembly Stats:
        TCP Packets Used: 0          (0.000%)
         Stream Trackers: 0
          Stream flushes: 0
           Segments used: 0
   Stream4 Memory Faults: 0
============================================================================
===
***AP*** Seq: 0xF73F77E3  Ack: 0x2831E46D  Win: 0xAB20  TcpLen: 20
Snort received signal 2, exiting


From /To Erek Adams:
Try this:



*  Verify that snort is working.  'snort -vade' should show traffic on your

network.
It works and shows traffic on the network. I copied some output above.


*  Check your snort.conf.  Check HOME_NET and EXTERNAL_NET, to be sure
they are set for the correct ranges.

I have the HOME_NET set for each class c;
var HOME_NET
[63.229.251.0/24,65.101.195.0/24,65.103.101.0/24,65.125.152.0/23]
but my EXTERNAL_NET is set like this:
var EXTERNAL_NET $HOME_NET
Should external net say 'any'?


*  If the MySQL host and snort host are different, make sure you can
connect from one to the other.

The MySQL host and snort are on the same machine.

Thanks,
Joshua Rogers
Webmaster
InterPlanetary Web Services
303-940-2597
IBO# 60092

----- Original Message -----
From: "McClure Gammon" <gammon.mcclure () volvo com>
To: "'Joshua Rogers'" <josh () ipws com>; <Snort-users () lists sourceforge net>
Sent: Friday, August 23, 2002 1:59 PM
Subject: RE: [Snort-users] Snort, php, MySQL and acid showing no activity



Joshua,
Not to be asking stupid questions, but are you in a switched environment?

(Keep in mind some "hubs" are really switches.)  If so, you'll need to span
or mirror ports of interest to the port where snort is plugged in.  Easiest
way to debug this is to start simple - can you get alerts to the console
(other than broadcast) running just snort -dv if all you see are broadcasts,
you're switched.  If you see other stuff, we can get more complicated.


Gammon

-----Original Message-----
From: Joshua Rogers [mailto:josh () ipws com]
Sent: Friday, August 23, 2002 2:50 PM
To: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort, php, MySQL and acid showing no
activity


Ok, I ran 'nmap -v -sS -O <server ip>' on the snort machine and on another
server. Both tests did not show up in the acid console and nothing in the
MySQL db. There is also nothing showing up in the portscan log file. I am
guessing I missed something in the setup.

Thanks,
Joshua Rogers
Webmaster
InterPlanetary Web Services
303-940-2597
IBO# 60092

----- Original Message -----
From: "Demetri Mouratis" <dmourati () cm math uiuc edu>
To: "Randy Bey" <Randy.Bey () rivernorthsys com>
Cc: <Snort-users () lists sourceforge net>
Sent: Friday, August 23, 2002 11:33 AM
Subject: RE: [Snort-users] Snort, php, MySQL and acid showing no activity



Nmap is a easier and faster in that it doesn't require client/server
setup:

http://www.insecure.org

HTH
On Fri, 23 Aug 2002, Randy Bey wrote:


Oh yes, you need to do something to trigger a rule. I usually just run

a

quick Nessus(tm) scan; that does it for me.

If there are faster, easier ways to trip a rule, please someone let me
know.

Randy Bey
RiverNorth Systems
7300 W 147th St Suite 300
Apple Valley, MN 55124
http://www.rivernorthsys.com


-----Original Message-----
From: Joshua Rogers [mailto:josh () ipws com]
Sent: Friday, August 23, 2002 10:24 AM
To: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort, php, MySQL and acid showing no
activity

I just tried: /usr/local/bin/snort -c /etc/snort/snort.conf -D from

the

command line. It created an additional sensor, but still no activity

in

the
db. Do I need to create any alerts? It seems that I can not create a
useful
alert until I have a traffic pattern to base it on. Am I correct in

this

assumption?

Thanks,
Joshua Rogers
Webmaster
InterPlanetary Web Services
303-940-2597
IBO# 60092
----- Original Message -----
From: "Randy Bey" <Randy.Bey () rivernorthsys com>
To: "Joshua Rogers" <josh () ipws com>;

<Snort-users () lists sourceforge net>

Sent: Friday, August 23, 2002 9:31 AM
Subject: RE: [Snort-users] Snort, php, MySQL and acid showing no
activity


Have you made sure you aren't using any -A switches on your snort
command line? It should be as simple as:
/usr/local/bin/snort -c /etc/snort/snort.conf -D


Randy Bey
RiverNorth Systems
7300 W 147th St Suite 300
Apple Valley, MN 55124
http://www.rivernorthsys.com


-----Original Message-----
From: Joshua Rogers [mailto:josh () ipws com]
Sent: Thursday, August 22, 2002 4:28 PM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] Snort, php, MySQL and acid showing no activity

Hi,
I do not know what information will be helpful in showing me how to
track
down a problem on my system, but here goes. I am running:
Red Hat Linux 7.3 with the latest updates
PHP 4.2.1, register globals=on
Apache 1.3.26
MySQL 3.23.39
GD 1.6.2
The latest acid
BCMath

I followed the great doc on setting up snort-rh7-mysql, from the snort
website. I had to make a few changes since I am running 7.3 and did

not

have
all of the drive space shown in the doc. Somewhere along the line I
think I
missed something. Snort and MySQL seems to be running, the acid
interface
comes up fine with no errors but there is no data that shows up in the
database or in the acid interface.
What information would you need to help point me in the right

direction

to
get snort recording data?

Thanks,
Joshua Rogers
Webmaster
InterPlanetary Web Services
303-940-2597
IBO# 60092



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=urceforge1&refcode1=3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_________________________


---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: