snort doesn't write to mysql

["Ochs, Pam" <POchs () HPTI com>]

Hello.

I'm a newbie, but have checked the FAQs, done lots of searching, asked other linux-knowledgeable people, and I still 
can't figure this out. I've likely done something stupid - can anyone help me find it?

I'm running snort 2.1.0-2 on RedHat 9, with mysql, apache, php and acid. I have configured the output database line in 
snort.conf to point to the mysql database, but I see no sign that snort is even attempting to connect to the database. 
snort and snort-mysql are installed from the binary rpms available from snort.org; 

[root@fsf052 snort]# rpm -qa |grep snort 

snort-mysql-2.1.0-2 

snort-2.1.0-2

snort appears to be using snort.conf;

ps -ef |grep snort

snort 3849 1 0 16:15 ? 00:00:00 /usr/sbin/snort -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l 
/var/log/snort

However, I added "output log_tcpdump: tcpdump.log" to the snort.conf and found no tcpdump.log when I restarted the 
service and ran the scanner against it. Just to be sure, I created the empty file, gave the snort user pemissions on 
it, restarted the service, and ran the scanner again - the file remained empty. Does this mean the output settings in 
snort.conf are being overridden or ignored?

It is running snort-mysql;

ls -l /usr/sbin |grep snort

lrwxrwxrwx 1 root root 21 Feb 20 10:37 snort -> /usr/sbin/snort-mysql

-rwxr-xr-x 1 root root 478797 Dec 20 05:22 snort-mysql

-rwxr-xr-x 1 root root 478268 Dec 20 05:28 snort-plain

Does anyone know how this version was compiled? Do I have to have the database in a specific location?

Thanks in advance for any help,

Pam

I'm including my scripts and config files, basically all default, sorry for the length of the e-mail, I've removed a 
lot of the commented stuff and examples to make it shorter. Note, my e-mail client is causing stuff to wrap - there are 
no carriage returns: _________________________________________________________________________

/etc/init.d/snortd

#!/bin/sh

# $Id: snortd,v 1.17 2003/12/20 09:25:37 dwittenb Exp $

#

# snortd Start/Stop the snort IDS daemon.

#

# chkconfig: 2345 40 60

# description: snort is a lightweight network intrusion detection tool that \

# currently detects more than 1100 host and network \

# vulnerabilities, portscans, backdoors, and more.

#

# Source function library.

. /etc/rc.d/init.d/functions

# Source the local configuration file

. /etc/sysconfig/snort

# Convert the /etc/sysconfig/snort settings to something snort can # use on the startup line. if [ "$ALERTMODE"X = "X" 
]; then

ALERTMODE=""

else

ALERTMODE="-A $ALERTMODE"

fi

if [ "$USER"X = "X" ]; then

USER="snort"

fi

if [ "$GROUP"X = "X" ]; then

GROUP="snort"

fi

if [ "$BINARY_LOG"X = "1X" ]; then

BINARY_LOG="-b"

else

BINARY_LOG=""

fi

if [ "$CONF"X = "X" ]; then

CONF="-c /etc/snort/snort.conf"

else

CONF="-c $CONF"

fi

if [ "$INTERFACE"X = "X" ]; then

INTERFACE="-i eth0"

else 

INTERFACE="-i $INTERFACE"

fi

if [ "$DUMP_APP"X = "1X" ]; then

DUMP_APP="-d"

else

DUMP_APP=""

fi 

if [ "$NO_PACKET_LOG"X = "1X" ]; then

NO_PACKET_LOG="-N"

else

NO_PACKET_LOG=""

fi 

if [ "$PRINT_INTERFACE"X = "1X" ]; then

PRINT_INTERFACE="-I"

else

PRINT_INTERFACE=""

fi

if [ "$PASS_FIRST"X = "1X" ]; then

PASS_FIRST="-o"

else

PASS_FIRST=""

fi

if [ "$LOGDIR"X = "X" ]; then

LOGDIR=/var/log/snort

fi

 

######################################

# Now to the real heart of the matter:

# See how we were called.

case "$1" in

start)

echo -n "Starting snort: "

cd $LOGDIR

if [ "$INTERFACE" = "-i ALL" ]; then

for i in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed s/"\/"//g`

do

mkdir -p "$LOGDIR/$i"

chown -R snort:snort $LOGDIR

daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP 
$CONF -l $LOGDIR/$i $PASS_FIRST

done

else

daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g 
$GROUP $CONF -l $LOGDIR $PASS_FIRST

fi

touch /var/lock/subsys/snort

echo

;;

stop)

echo -n "Stopping snort: "

killproc snort

rm -f /var/lock/subsys/snort

echo 

;;

reload)

echo "Sorry, not implemented yet"

;;

restart)

$0 stop

$0 start

;;

condrestart)

[ -e /var/lock/subsys/snort ] && /etc/init.d/snortd restart

;;

status)

status snort

;;

*)

echo "Usage: $0 {start|stop|reload|restart|condrestart|status}"

exit 2

esac

exit 0

 

___________________________________________________________________________

/etc/sysconfig/snort

# /etc/sysconfig/snort

# $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $

 

#### General Configuration

INTERFACE=eth0

CONF=/etc/snort/snort.conf

USER=snort

GROUP=snort

PASS_FIRST=0

#### Logging & Alerting

LOGDIR=/var/log/snort

ALERTMODE=fast

DUMP_APP=1

BINARY_LOG=1

NO_PACKET_LOG=0

PRINT_INTERFACE=0

 

________________________________________________________________

/etc/snort/snort.conf (password/IP obscured)

#--------------------------------------------------

# http://www.snort.org <http://www.snort.org/>  Snort 2.1.0 Ruleset

# Contact: snort-sigs () lists sourceforge net

#--------------------------------------------------

# $Id: snort.conf,v 1.133 2003/12/18 17:05:07 cazz Exp $

#

var HOME_NET x.x.x.0/xx

# Set up the external network addresses as well. A good start may be "any" var EXTERNAL_NET any

# List of DNS servers on your network 

var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network

var SMTP_SERVERS $HOME_NET

# List of web servers on your network

var HTTP_SERVERS $HOME_NET

# List of sql servers on your network 

var SQL_SERVERS $HOME_NET

# List of telnet servers on your network

var TELNET_SERVERS $HOME_NET

# List of snmp servers on your network

var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.

var SHELLCODE_PORTS !80

# Ports you do oracle attacks on

var ORACLE_PORTS 1521

# other variables

var AIM_SERVERS 
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

# Path to your rules files (this can be a relative path)

var RULE_PATH /etc/snort/rules

preprocessor frag2

# stream4: stateful inspection/stream reassembly for Snort

#----------------------------------------------------------------------

preprocessor stream4: disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \

iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \

profile all \

ports { 80 8080 }

# rpc_decode: normalize RPC traffic

# ---------------------------------

preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector

preprocessor bo

# telnet_decode: Telnet negotiation string normalizer

preprocessor telnet_decode

####################################################################

# Step #3: Configure output plugins

#

output database: log, mysql, user=snort password=******** dbname=snort host=localhost

include classification.config

include reference.config

####################################################################

# Step #4: Customize your rule set

include $RULE_PATH/local.rules

include $RULE_PATH/bad-traffic.rules

include $RULE_PATH/exploit.rules

include $RULE_PATH/scan.rules

include $RULE_PATH/finger.rules

include $RULE_PATH/ftp.rules

include $RULE_PATH/telnet.rules

include $RULE_PATH/rpc.rules

include $RULE_PATH/rservices.rules

include $RULE_PATH/dos.rules

include $RULE_PATH/ddos.rules

include $RULE_PATH/dns.rules

include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules

include $RULE_PATH/web-coldfusion.rules

include $RULE_PATH/web-iis.rules

include $RULE_PATH/web-frontpage.rules

include $RULE_PATH/web-misc.rules

include $RULE_PATH/web-client.rules

include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules

include $RULE_PATH/x11.rules

include $RULE_PATH/icmp.rules

include $RULE_PATH/netbios.rules

include $RULE_PATH/misc.rules

include $RULE_PATH/attack-responses.rules

include $RULE_PATH/oracle.rules

include $RULE_PATH/mysql.rules

include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules

include $RULE_PATH/imap.rules

include $RULE_PATH/pop2.rules

include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules

include $RULE_PATH/other-ids.rules

include $RULE_PATH/experimental.rules

# Include any thresholding or suppression commands

include threshold.conf