Snort mailing list archives
RE: snort warnings
From: "Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil>
Date: Wed, 6 Aug 2003 11:48:08 -0700
So here is my guess of what is going on: snort logs unique signatures it sees to the signatures tables. When logging an alert, it checks the signature table to see if the signature has been alerted previously by means of the query SELECT sig_id FROM signature WHERE sig_name = '(signame)' AND sig_rev = (sig_rev) AND sig_sid = (sig_sid) The variables of which can be gotten from the rules files triggering an alert. If it's already there snort can use the existing record, if not snort writes a new one. This could explain the errors knox3 is writing to stdout; first it finds more than 0 or 1 records for the query and gives 'returned more than one result', then it tries to write a new signature to the table and gets 'Problem inserting a new signature' (In mysql it appears that sig_name and sig_class_id form a multi-column index. In postgress, (which I am not using nor familiar with) there appears to be an index both on sig_name and sig_class_id. Perhaps the problem being referred to is a duplicate value for that/ those indexes). If that is true, then what has happened such that so many entries exist in the signature table for each signature? Would it be possible to try to fix this problem (symptom?) by dumping the duplicate entries from the signature table? I think we need input from more experienced snorters (but in the absence of that, I suppose I would create a new test snort db on your database machine and have knox3 log to it, and go from there). Benjamin Everist -----Original Message----- From: Bryan Irvine [mailto:bryan.irvine () kingcountyjournal com] Sent: Wednesday, August 06, 2003 10:31 AM To: Everist, Benjamin S. (NASWI) Cc: 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] snort warnings it is getting started in Daemon mode I just see the data go by. It might be unrelated to my current problem, and I only bring it up because it might be related. but when I run ###paste good command### snort -o -b -l /var/www/htdocs/snort/xl1 -d -D -i xl1 -c /usr/local/share/snort/xl1.conf not host '(10.0.0.2)' ######################## I don't get any output, it jsut drops me down a line, but when I run ###paste bad command### snort -o -b -l /var/www/htdocs/snort/fxp0 -d -D -i fxp0 -c /usr/local/share/snort/fxp0.conf not host '(192.233.100.78)' ####################### I get this: ###Paste output from bad command### # Aug 6 10:05:33 knox3 snort: Initializing daemon mode Aug 6 10:05:33 knox3 snort: PID path stat checked out ok, PID path set to /var/ run/ Aug 6 10:05:33 knox3 snort: Writing PID "25358" to file "/var/run//snort_fxp1.p id" Aug 6 10:05:33 knox3 snort: http_decode arguments: Aug 6 10:05:33 knox3 snort: Unicode decoding Aug 6 10:05:33 knox3 snort: IIS alternate Unicode decoding Aug 6 10:05:33 knox3 snort: IIS double encoding vuln Aug 6 10:05:33 knox3 snort: Flip backslash to slash Aug 6 10:05:33 knox3 snort: Include additional whitespace separators Aug 6 10:05:33 knox3 snort: Ports to decode http on: 80 Aug 6 10:05:33 knox3 snort: rpc_decode arguments: Aug 6 10:05:33 knox3 snort: Ports to decode RPC on: 111 32771 Aug 6 10:05:33 knox3 snort: alert_fragments: INACTIVE Aug 6 10:05:33 knox3 snort: alert_large_fragments: ACTIVE Aug 6 10:05:33 knox3 snort: alert_incomplete: ACTIVE Aug 6 10:05:33 knox3 snort: alert_multiple_requests: ACTIVE Aug 6 10:05:33 knox3 snort: telnet_decode arguments: Aug 6 10:05:33 knox3 snort: Ports to decode telnet on: 21 23 25 119 Aug 6 10:05:35 knox3 snort: Snort initialization completed successfully ################################# It does fire up in Daemon mode, just not quietly like the other one does. I'm thinking it might be related to the fact that you only get 1 instance when you run the select and I get 141. I tried just doing a "select * from signature;" just to satisfy my own curisoty and got tired of watching the output at around record 10,000-ish and canceled out, there was lot's of output for the records that aren't getting inserted. --Bryan On Wed, 2003-08-06 at 10:09, Everist, Benjamin S. (NASWI) wrote:
be my guest. Another question - you wrote in another post: "the 2.0.0 box starts quietly and I don't see any output when I run the script, the 2.0.1 box scrolls the regular startup output when started." Snort scrolling the startup output to stdout sounds like it -isn't- starting in Daemon mode. What's up with that? -----Original Message----- From: Bryan Irvine [mailto:bryan.irvine () kingcountyjournal com] Sent: Wednesday, August 06, 2003 9:58 AM To: Everist, Benjamin S. (NASWI) Subject: RE: [Snort-users] snort warnings i uhm...get 141 rows.... odd...might if I repost your message to the list? --Bryan On Wed, 2003-08-06 at 09:47, Everist, Benjamin S. (NASWI) wrote:Just out of curiosity, if you log into postgres and issue the following query: select * from signature where sig_name = 'WEB-CGI adcycle access'andsig_rev = 3 and sig_sid = 1721; what do you get? In mysql, I get:
+--------+------------------------+--------------+--------------+---------+- --------+
| sig_id | sig_name | sig_class_id | sig_priority | sig_rev | sig_sid |
+--------+------------------------+--------------+--------------+---------+- --------+
| 39 | WEB-CGI adcycle access | 5 | 2 | 3 | 1721 |
+--------+------------------------+--------------+--------------+---------+- --------+
1 row in set (0.00 sec) It looks as if snort is expecting one record and getting >1. Snortisthen writing the error to stdout. -----Original Message----- From: Bryan Irvine [mailto:bryan.irvine () kingcountyjournal com] Sent: Tuesday, August 05, 2003 3:06 PM To: snort-users () lists sourceforge net Subject: [Snort-users] snort warnings I get tons of these errors Aug 5 14:48:10 knox3 snort: database: warning (SELECT sig_id FROM signature WHERE sig_name = 'WEB-CGI adcycle access' AND sig_rev = 3 AND sig_sid = 1721 ) returned more than one result Aug 5 14:48:10 knox3 snort: database: warning (SELECT sig_id FROM signature WHERE sig_name = 'WEB-CGI adcycle access' AND sig_rev = 3 AND sig_sid = 1721 ) returned more than one result Aug 5 14:48:10 knox3 snort: database: Problem inserting a new signature 'WEB-CGI adcycle access' Aug 5 14:48:10 knox3 snort: database: Problem inserting a new signature 'WEB-CGI adcycle access' the odd thing is, this is set to run in daemon mode and log to postgres so i'm not sure why i'm even getting the errors to stdout. This is the script I'm using to start snort. snort -o -b -l /var/www/htdocs/snort/fxp0 -d -D -i fxp0 -c /usr/local/share/snort/fxp0.conf not host '(192.233.100.178)' snort -o -b -l /var/www/htdocs/snort/fxp1 -d -D -i fxp1 -c /usr/local/share/snort/fxp1.conf not host '(192.233.100.178)' any ideas? --Bryan
Current thread:
- snort warnings Bryan Irvine (Aug 05)
- <Possible follow-ups>
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Erek Adams (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Everist, Benjamin S. (NASWI) (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Bryan Irvine (Aug 06)
- RE: snort warnings Michael J. McCasland (Aug 07)