RE: Snor logging to mysql with no ip on monitored interface

["Shaffer, Paul D" <paul.d.shaffer () lmco com>]

Uh, I think maybe you're heading the wrong way here.  The lack of an IP address on your sensor interface has absolutely 
nothing to do with database output.  I have an almost identical setup running (2.1, though), no probs.  Maybe an 
obvious question, but how do you know_for_sure Snort is not outputting to the database?  Have you tested it by invoking 
some known alerts from an external source?  Sorry, had to ask...
 
Paul

-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of snort
Sent: Wednesday, December 31, 2003 8:51 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snor logging to mysql with no ip on monitored interface


1)       I am making the assumption that logging to MySQL is not possible if the interface I am monitoring does not 
have an IP. Can someone confirm that?
2)       Since I am able to log to a flat file, and I would like to use ACID, can someone point me to a flat file to 
MySQL script that I can use to populate MySQL with a cron job?
 
 
I have Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) under windows with acid. Everything is working fine on interface 
10.0.0.1. Logging to the db works fine, etc. I put in a second NIC and set it up under XP with no IP address. Ethereal 
can sniff packets on the interface just fine. I have snort configured for the second interface, but it cannot log to 
the mysql database. I added an output plugin for file and was able to see alerts from it. What am I doing wrong?
 
 
Cable modem-----------dumb hub---------linksys fw---------10.0.0.1 interface 1
                                     |_______________________0.0.0.0  interface 2
 
 
Snort output:
 
D:\EagleX\snort\bin>D:\EagleX\Snort\bin\snort.exe -c "D:\EagleX\Snort\etc\snort.conf" -l "D:\EagleX\Snort\logs" -i 2 -h 
192.1
0/24 -X -z
Running in IDS mode
Log directory = D:\EagleX\Snort\logs
 
Initializing Network Interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface \Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file D:\EagleX\Snort\etc\snort.conf
 
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 8877 8888
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Using LOCAL time
Conversation Config:
   KeepStats: 0
   Conv Count: 65535
   Timeout   : 60
   Alert Odd?: 1
   Allowed IP Protocols:  All
 
database: compiled support for ( mysql odbc )
database: configured to use Mysql
database:          host = localhost
database:          port = 7788
database: database name = snort
database:          user = snort
database: password is set
database:   sensor name = inet
database: detail level  = full
database:     sensor id = 3
database: schema version = 106
database: using the "alert" facility
1581 Snort rules read...
1581 Option Chains linked into 197 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
 
Rule application order: ->activation->dynamic->alert->pass->log
 
        --== Initialization Complete ==--
 
-*> Snort! <*-
Version 2.0.1-ODBC-MySQL-WIN32 (Build 88)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike)
1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)