Snort mailing list archives

RE: Snort logging to mysql with no ip on monitored interface

From: "snort" <snort () scottcarpenter net>
Date: Wed, 31 Dec 2003 17:53:36 -0500
I am now getting db alerts, but only port scans from my cable modem ip
interface. 
 
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort
Sent: Wednesday, December 31, 2003 5:41 PM
To: snort () scottcarpenter net; CMartin () infosol com; michaels () winsnort com
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort logging to mysql with no ip on
monitored interface
 
It may be that the interface is overloaded> I used the -v switch and
get:
 
D:\EagleX\snort>D:\EagleX\Snort\bin\snort.exe -c
"D:\EagleX\Snort\etc\snort.conf" -l "D:\EagleX\Snort\logs" -i 2 -h
192.168.0.100/2
 -v
Running in IDS mode
Log directory = D:\EagleX\Snort\logs
 
Initializing Network Interface
\Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface
\Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file D:\EagleX\Snort\etc\snort.conf
 
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
database: compiled support for ( mysql odbc )
database: configured to use Mysql
database:          host = localhost
database:          port = 7788
database: database name = snort
database:          user = snort
database: password is set
database:   sensor name = inet
database: detail level  = full
database:     sensor id = 3
database: schema version = 106
database: using the "alert" facility
1581 Snort rules read...
1581 Option Chains linked into 197 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
 
Rule application order: ->activation->dynamic->alert->pass->log
 
        --== Initialization Complete ==--
 
-*> Snort! <*-
Version 2.0.1-ODBC-MySQL-WIN32 (Build 88)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
12/31-17:37:46.404823 ARP who-has 68.100.137.3 tell 68.100.136.1
 
12/31-17:37:46.853076 ARP who-has 10.5.201.19 tell 10.5.192.1
 
12/31-17:37:46.853263 ARP who-has 68.100.141.190 tell 68.100.136.1
 
12/31-17:37:46.922747 ARP who-has 68.100.143.151 tell 68.100.136.1
 
12/31-17:37:47.441033 ARP who-has 68.100.145.0 tell 68.100.144.1
 
12/31-17:37:47.852663 ARP who-has 68.100.148.110 tell 68.100.144.1
 
12/31-17:37:47.852811 ARP who-has 68.100.139.37 tell 68.100.136.1
 
12/31-17:37:47.857267 ARP who-has 68.100.146.56 tell 68.100.144.1
 
12/31-17:37:48.521345 ARP who-has 68.100.136.12 tell 68.100.136.1
 
12/31-17:37:48.661274 ARP who-has 68.100.141.218 tell 68.100.136.1
 
12/31-17:37:48.739527 ARP who-has 68.105.187.184 tell 68.105.187.1
 
12/31-17:37:48.852797 ARP who-has 10.5.204.52 tell 10.5.192.1
 
12/31-17:37:49.853183 ARP who-has 10.5.200.192 tell 10.5.192.1
 
12/31-17:37:49.962343 ARP who-has 68.100.138.179 tell 68.100.136.1
 
12/31-17:37:49.987511 10.5.192.1:67 -> 255.255.255.255:68
UDP TTL:16 TOS:0x7 ID:0 IpLen:20 DgmLen:328
Len: 300
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
 
12/31-17:37:50.010668 10.5.192.1:67 -> 255.255.255.255:68
UDP TTL:16 TOS:0x7 ID:0 IpLen:20 DgmLen:328
Len: 300
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
 
12/31-17:37:50.652817 ARP who-has 68.100.150.223 tell 68.100.144.1
 
12/31-17:37:50.691730 ARP who-has 68.105.187.197 tell 68.105.187.1
 
12/31-17:37:50.852925 ARP who-has 10.5.190.106 tell 10.5.184.1
 
12/31-17:37:50.991994 ARP who-has 68.105.187.199 tell 68.105.187.1
 
12/31-17:37:50.998991 ARP who-has 10.5.207.29 tell 10.5.192.1
 
12/31-17:37:51.183033 ARP who-has 68.100.27.17 tell 68.100.26.1
 
12/31-17:37:51.258331 ARP who-has 68.100.150.89 tell 68.100.144.1
 
12/31-17:37:51.398474 216.55.16.67:3474 -> 68.100.137.18:25
TCP TTL:109 TOS:0x0 ID:54619 IpLen:20 DgmLen:48 DF
******S* Seq: 0x790B674A  Ack: 0x0  Win: 0xFAF0  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
 
12/31-17:37:51.399618 ARP who-has 68.100.136.1 tell 68.100.137.18
 
12/31-17:37:51.411000 ARP reply 68.100.136.1 is-at 0:50:57:0:87:6A
 
12/31-17:37:51.411521 68.100.137.18:25 -> 216.55.16.67:3474
TCP TTL:128 TOS:0x0 ID:39884 IpLen:20 DgmLen:48 DF
***A**S* Seq: 0x8F6C66F0  Ack: 0x790B674B  Win: 0xFFF0  TcpLen: 28
TCP Options (4) => MSS: 1260 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
 
12/31-17:37:51.442306 ARP who-has 68.105.187.202 tell 68.105.187.1
 
12/31-17:37:51.463001 216.55.16.67:3474 -> 68.100.137.18:25
TCP TTL:109 TOS:0x0 ID:54631 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x790B674B  Ack: 0x8F6C66F1  Win: 0xFB04  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
 
12/31-17:37:51.474576 68.100.137.18:25 -> 216.55.16.67:3474
TCP TTL:128 TOS:0x0 ID:39885 IpLen:20 DgmLen:88 DF
***AP*** Seq: 0x8F6C66F1  Ack: 0x790B674B  Win: 0xFFF0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
 
12/31-17:37:51.477225 68.100.137.18:25 -> 216.55.16.67:3474
TCP TTL:128 TOS:0x0 ID:39886 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x8F6C6721  Ack: 0x790B674B  Win: 0xFFF0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
 
12/31-17:37:51.532155 216.55.16.67:3474 -> 68.100.137.18:25
TCP TTL:109 TOS:0x0 ID:54638 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x790B674B  Ack: 0x8F6C6722  Win: 0xFAD4  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
 
12/31-17:37:51.569131 216.55.16.67:3474 -> 68.100.137.18:25
TCP TTL:109 TOS:0x0 ID:54644 IpLen:20 DgmLen:46 DF
***AP*** Seq: 0x790B674B  Ack: 0x8F6C6722  Win: 0xFAD4  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
 
12/31-17:37:51.569199 216.55.16.67:3474 -> 68.100.137.18:25
TCP TTL:109 TOS:0x0 ID:54645 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x790B6751  Ack: 0x8F6C6722  Win: 0xFAD4  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
 
12/31-17:37:51.570428 68.100.137.18:25 -> 216.55.16.67:3474
TCP TTL:128 TOS:0x0 ID:39887 IpLen:20 DgmLen:40 DF
*****R** Seq: 0x8F6C6722  Ack: 0x790B674B  Win: 0x0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
 
12/31-17:37:51.570752 68.100.137.18:25 -> 216.55.16.67:3474
TCP TTL:128 TOS:0x0 ID:39888 IpLen:20 DgmLen:40
*****R** Seq: 0x8F6C6722  Ack: 0x8F6C6722  Win: 0x0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
 
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort
Sent: Wednesday, December 31, 2003 5:35 PM
To: CMartin () infosol com; michaels () winsnort com
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snort logging to mysql with no ip on
monitored interface
 
I tried that, but if you leave off the -l switch it complains..
 
D:\EagleX>D:\EagleX\Snort\bin\snort.exe -c
"D:\EagleX\Snort\etc\snort.conf"  -i 2
Running in IDS mode
Log directory = log
ERROR:
[!] ERROR: Can not get write access to logging directory "log".
(directory doesn't exist or permissions are set incorrectly
or it is not a directory at all)
 
Fatal Error, Quitting..
 
 
This is really strange. If I just change the interface alerts do not
work with either file or db. 
I have a web page http://www.cheerleaders4free.com/ that will set off an
alert. With ethereal, I can capture the packets just fine on interface
2:
 
01f0  65 72 73 2e 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61   ers.">..<meta na
0200  6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f   me="keywords" co
0210  6e 74 65 6e 74 3d 22 63 68 65 65 72 6c 65 61 64   ntent="cheerlead
0220  65 72 20 73 65 78 2c 20 6e 75 64 65 20 63 68 65   er sex, nude che
0230  65 72 6c 65 61 64 65 72 73 2c 20 63 68 65 65 72   erleaders, cheer
0240  6c 65 61 64 65 72 20 66 75 63 6b 69 6e 67 2c 20   leader fucking, 
0250  63 68 65 65 72 67 69 72 6c 2c 20 4c 69 67 68 74   cheergirl, Light
 
If I change to i-1, I get the alert and the log just fine
 
D:\EagleX\snort>D:\EagleX\Snort\bin\snort.exe -c
"D:\EagleX\Snort\etc\snort.conf"  -i 2
Running in IDS mode
Log directory = log
 
Initializing Network Interface
\Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface
\Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file D:\EagleX\Snort\etc\snort.conf
 
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
database: compiled support for ( mysql odbc )
database: configured to use Mysql
database:          host = localhost
database:          port = 7788
database: database name = snort
database:          user = snort
database: password is set
database:   sensor name = inet
database: detail level  = full
database:     sensor id = 3
database: schema version = 106
database: using the "alert" facility
1581 Snort rules read...
1581 Option Chains linked into 197 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
 
Rule application order: ->activation->dynamic->alert->pass->log
 
        --== Initialization Complete ==--
 
-*> Snort! <*-
Version 2.0.1-ODBC-MySQL-WIN32 (Build 88)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
 
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
CMartin () infosol com
Sent: Wednesday, December 31, 2003 1:57 PM
To: michaels () winsnort com
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored
interface
 
Howdy,
 
I think I found your problem.  I'm running snort on linux, but I think
the command line is the same.  There are times when I would like to log
to a directory and not log to a database.  I still make a reference to
the conf file that has all my database login information but then in the
command line I specify it to log to a directory using the -l (log)
switch, as you do in your command line.  In my experience when you use
the -l switch in the command line, it overwrites all logging options
specified in your conf file.  So try removing the -l switch and see if
that helps.  If you want to log to both the directory and the database,
specify that in the conf file.
 
Chris
 
 
 
 
-----Original Message-----
From: Michael Steele [mailto:michaels () winsnort com] 
Sent: Wednesday, December 31, 2003 10:38 AM
To: 'Snort Users List'
Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored
interface
 
You can do a tcpdump on the database port and see any alerts that are
being passed to it, while running a scan of the system using some
vulnerability scanner.
Kindest regards,

The WINSNORT.com Management Team
--
Pick up your FREE Windows or UNIX Snort installation guides      
mailto:support () winsnort com
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org
  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Shaffer,
Paul D
Sent: Wednesday, December 31, 2003 8:07 AM
To: snort () scottcarpenter net; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored
interface
 
Uh, I think maybe you're heading the wrong way here.  The lack of an IP
address on your sensor interface has absolutely nothing to do with
database output.  I have an almost identical setup running (2.1,
though), no probs.  Maybe an obvious question, but how do you
know_for_sure Snort is not outputting to the database?  Have you tested
it by invoking some known alerts from an external source?  Sorry, had to
ask...
 
Paul
 
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of snort
Sent: Wednesday, December 31, 2003 8:51 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snor logging to mysql with no ip on monitored
interface
1)       I am making the assumption that logging to MySQL is not
possible if the interface I am monitoring does not have an IP. Can
someone confirm that?
2)       Since I am able to log to a flat file, and I would like to use
ACID, can someone point me to a flat file to MySQL script that I can use
to populate MySQL with a cron job?
 
 
I have Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) under windows with
acid. Everything is working fine on interface 10.0.0.1. Logging to the
db works fine, etc. I put in a second NIC and set it up under XP with no
IP address. Ethereal can sniff packets on the interface just fine. I
have snort configured for the second interface, but it cannot log to the
mysql database. I added an output plugin for file and was able to see
alerts from it. What am I doing wrong?
 
 
Cable modem-----------dumb hub---------linksys fw---------10.0.0.1
interface 1
                                     |_______________________0.0.0.0
interface 2
 
 
Snort output:
 
D:\EagleX\snort\bin>D:\EagleX\Snort\bin\snort.exe -c
"D:\EagleX\Snort\etc\snort.conf" -l "D:\EagleX\Snort\logs" -i 2 -h 192.1
0/24 -X -z
Running in IDS mode
Log directory = D:\EagleX\Snort\logs
 
Initializing Network Interface
\Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface
\Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file D:\EagleX\Snort\etc\snort.conf
 
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 8877 8888
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Using LOCAL time
Conversation Config:
   KeepStats: 0
   Conv Count: 65535
   Timeout   : 60
   Alert Odd?: 1
   Allowed IP Protocols:  All
 
database: compiled support for ( mysql odbc )
database: configured to use Mysql
database:          host = localhost
database:          port = 7788
database: database name = snort
database:          user = snort
database: password is set
database:   sensor name = inet
database: detail level  = full
database:     sensor id = 3
database: schema version = 106
database: using the "alert" facility
1581 Snort rules read...
1581 Option Chains linked into 197 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
 
Rule application order: ->activation->dynamic->alert->pass->log
 
        --== Initialization Complete ==--
 
-*> Snort! <*-
Version 2.0.1-ODBC-MySQL-WIN32 (Build 88)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
Current thread:

RE: Snor logging to mysql with no ip on monitored i nterface CMartin (Dec 31)
- RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)
  - RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)
    - RE: Snort logging to mysql with no ip on monitored interface snort (Dec 31)