Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort not logging to MySQL

From: Adam Shephard <sfnative33 () yahoo com>
Date: Mon, 10 Feb 2003 15:11:48 -0800 (PST)
I'm using ACID and after not having any alerts show up
for a while, I decided to look into things. Turns out,
nothing is going into MySQL at all. I do have alerts
showing up in Snort both in /var/log/snort/alerts and
/var/log/snort/xxx.xxx.xxx.xxx 

I am getting this in /var/log/daemon.log:

Feb  9 14:02:48 ******* snort: PID stat checked out
ok, PID set to /var/run/
Feb  9 14:02:48 ******* snort: Writing PID file to
"/var/run/"
Feb  9 14:02:48 ******* snort: Initializing daemon
mode
Feb  9 14:02:48 ******* snort: PID stat checked out
ok, PID set to /var/run/
Feb  9 14:02:48 ******* snort: Writing PID file to
"/var/run/"
Feb  9 14:02:49 ******* snort: database: must enter
database name in configuration file
Feb  9 14:02:49 ******* snort: FATAL ERROR:

I do have the database name listed in the common.inc
file, per instructions. This is happeneing on two
separate machines. On one, I copied the config files
from an article from SecurityFocus, on the other I
re-typed the files by hand. That leads me to believe
it's not a typo but it's certainly possible.

The boxes are running Debian Woody, mysql 3.23.49.8-2,
snort-mysql 1.8.4beta-13 and acidlab 0.9.6b20-2. All
of the packages were installed using apt-get from
STABLE.

Any help would be greatly appreciated.

Adam

Here are the config files:

-----------------
/etc/init.d/snort
-----------------

#!/bin/sh
#
# Script to control SNORT execution under Debian
# Written by Vladislav V. Myasnyankin .

PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
DAEMON=/usr/sbin/snort
PIDFILES=`ls /var/run | grep snort`
INTERFACES=`cat /etc/snort/common/interfaces`

# Arguements passed to SNORT
#
# To watch only our system
ARGS="-o -p -X -u snort -g snort -D"

#
# Check if we need to watch all packets in the segment
if [ -e /etc/snort/common/promisc ]
then
ARGS="-o -X -u snort -g snort -D"
fi

test -x $DAEMON || exit 0

case "$1" in
  start)
    echo -n "Starting Network Intrusion Detection
System: snort"
    for IFACE in $INTERFACES;
        do
        PIDFILE=/var/run/snort_$IFACE.pid
        CONFIG=/etc/snort/snort.conf.$IFACE
        echo $IFACE
        echo $CONFIG
        echo $PIDFILE
         /sbin/ifconfig | grep $IFACE > /dev/null
         if [ $? -ne 0 ]
           then
          /sbin/ifconfig $IFACE up
        fi

/sbin/start-stop-daemon --start --pidfile $PIDFILE
--exec $DAEMON -- -i $IFACE $

       case "$?" in
         0) echo "." ;;
         1) echo "...already running." ;;
         2) echo "..failed.";;
       esac
       done

  ;;
stop)
  echo -n "Stopping Network Intrusion Detection
System: snort"
  for PIDFILE in $PIDFILES;
      do
      echo
      echo $PIDFILE
      echo
      /sbin/start-stop-daemon --stop --quiet --oknodo
--pidfile /var/run/$PIDFI$
      echo "."
      rm -f /var/run/$PIDFILE
      done
  ps cax | grep '/usr/sbin/snort'        | awk '{
print $1 }' | xargs --no-run-$
  ;;
restart|force-restart|reload|force-reload)
      /etc/init.d/snort stop
      # stop will take care that the thing is really
dead
      /etc/init.d/snort start
      ;;
*)
  echo "Usage: /etc/init.d/snort
{start|stop|restart|force-reload|reload}"
  exit 1
  ;;
esac

exit 0


--------------------------
/etc/snort/snort.conf.eth0
--------------------------

var HOME_NET xxx.xxx.xxx.xxx/24
var EXTERNAL_NET !$HOME_NET
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS
[xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx]
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521

include /etc/snort/common/common.inc

#
# Include classification & priority settings
#

include classification.config


#
# Customize the rule set
#

include bad-traffic.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules
include tftp.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include web-attacks.rules
include sql.rules
include x11.rules
include icmp.rules
include netbios.rules
include misc.rules
include attack-responses.rules
# include backdoor.rules
# include shellcode.rules
# include policy.rules
# include porn.rules
# include info.rules
# include icmp-info.rules
# include virus.rules
include local.rules

----------------------------
/etc/snort/common/common.inc
----------------------------

# common variables

pass ICMP $HOME_NET any -> $HOME_NET any
pass TCP $HOME_NET any -> $HOME_NET any
pass UDP $HOME_NET any -> $HOME_NET any

# preprocessors
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor unidecode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode

# output plugins
output database: log, mysql, user=snort password=
dbname=snort_log host=localhost

=====
Adam Shephard
-- Nothing exceeds like excess --

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: