Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SnortCenter Configuration

From: "Roy S. Rapoport" <snort-users () ols inorganic org>
Date: Fri, 30 May 2003 00:35:58 -0700
On Thu, May 29, 2003 at 11:44:57PM -0700, Roy S. Rapoport wrote:

Is this even the best place to ask Snort Center questions?
http://users.pandora.be/larc/index.html doesn't seem to mention any
snortcenter-specific mailing lists.

I actually had Snort working well in standalone mode, and I'm trying to
integrate it into SnortCenter (so I'll initially have SnortCenter manage
one agent).  SnortCenter and Agent talk well with each other; I've
uploaded the config file I was using originally, but I'm having a
problem with the rules.  Specifically, if I do admin->import/update
rules->update from internet, I get "No update this time..." which is not
necessarily all that descriptive.  Nothing new? Couldn't find anything
Dunno.

I obviously don't want to hand-enter a whole bunch of different rules.
Any suggestions?


I figured out, at least preliminarily, what was going on.

On my system, snortcenter was attempting to download the files by using:
$fp=popen($curl_path."curl -s $proxyline $snortrules_url 2>/dev/null | tar xzOf - rules/*.rules rules/*.conf 
rules/*.config", "r");

However, on Solaris tar cannot cope with compressed files.  I needed to
use gtar (the gnu tar) and fully qualify it.  So this:
$fp=popen($curl_path."curl -s $proxyline $snortrules_url 2>/dev/null | /usr/local/bin/gtar xzOf - rules/*.rules 
rules/*.conf rules/*.config", "r");

Worked.  Kinda.  After running this and having SnortCenter see all the
rules, I attempted to do it again for no particularly good reason, and
got:
Database ERROR:Database ERROR:Unknown column 'byte_jump' in 'field list'

Which I suppose makes sense:  There are several DB queries that seem to
rely on a byte_jump column in uricontent:
---
151 nag /usr/local/snortcenter # grep byte_jump * | grep "SELECT"
rules.php:        $result_content = $db->acidExecute("SELECT content, off_set, depth, nocase, regex, rawbytes, 
distance, within, byte_jump, byte_test  FROM content WHERE sid='$sid'");
rules.php:        $result_uricontent = $db->acidExecute("SELECT uricontent, off_set, depth, nocase, regex, distance, 
within, byte_jump, byte_test FROM uricontent WHERE sid='$sid'");
sensor.inc.php:                    $result_content = $db->acidExecute("SELECT content, off_set, depth, nocase, regex, 
rawbytes, distance, within, byte_jump, byte_test FROM content WHERE sid='$sid'");
sensor.inc.php:                    $result_uricontent = $db->acidExecute("SELECT uricontent, off_set, depth, nocase, 
regex, distance, within, byte_jump, byte_test FROM uricontent WHERE sid='$sid'");
sensor_rules.php:        $result_content = $db->acidExecute("SELECT content, off_set, depth, nocase, regex, rawbytes, 
distance, within, byte_jump, byte_test FROM content WHERE sid='$sid'");
sensor_rules.php:        $result_uricontent = $db->acidExecute("SELECT uricontent, off_set, depth, nocase, regex, 
distance, within, byte_jump, byte_test FROM uricontent WHERE sid='$sid'");
r--

But when uricontent is created, it's created thus:
CREATE TABLE uricontent (
  sid bigint(20) unsigned NOT NULL default '0',
  uricontent longtext,
  off_set varchar(4) default NULL,
  depth varchar(4) default NULL,
  nocase varchar(6) default NULL,
  regex varchar(5) default NULL,
  KEY sid (sid)
) TYPE=MyISAM;

So, obviously, you get database errors.

I'm hearing of a lot of people happily using SnortCenter.  The problems
I'm encountering are so darn basic, I'm wondering if there's something
fundamentally different or broken about my setup (one possibility for
the tar issue is that nobody considered that SnortCenter might be run on
a non-BSD/non-Linux system, for example), or if, in fact, someone was
just damn sloppy with this latest version of SnortCenter.

Thoughts?

-roy



-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: