Snort mailing list archives

snort doesn't write to mysql

From: "Ochs, Pamela T [Contr (HPTI)]" <pamela.t.ochs () us army mil>
Date: Fri, 27 Feb 2004 09:52:49 -0500
Hello.

I'm a newbie, but have checked the FAQs, done lots of searching, asked other
linux-knowledgeable people, and I still can't figure this out.  I've likely
done something stupid - can anyone help me find it?

I'm running snort 2.1.0-2 on RedHat 9, with mysql, apache, php and acid.  I
have configured the output database line in snort.conf to point to the mysql
database, but I see no sign that snort is even attempting to connect to the
database.
snort and snort-mysql are installed from the binary rpms available from
snort.org;
[root@fsf052 snort]# rpm -qa |grep snort 
snort-mysql-2.1.0-2 
snort-2.1.0-2

snort appears to be using snort.conf;
ps -ef |grep snort
snort     3849     1  0 16:15 ?        00:00:00 /usr/sbin/snort -A fast -b
-d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

However, I added "output log_tcpdump: tcpdump.log" to the snort.conf and
found no tcpdump.log when I restarted the service and ran the scanner
against it.  Just to  be sure, I created the empty file, gave the snort user
pemissions on it, restarted the service, and ran the scanner again - the
file remained empty.  Does this mean the output settings in snort.conf are
being overridden or ignored?

It is running snort-mysql;
ls -l /usr/sbin |grep snort
lrwxrwxrwx    1 root     root           21 Feb 20 10:37 snort ->
/usr/sbin/snort-mysql
-rwxr-xr-x    1 root     root       478797 Dec 20 05:22 snort-mysql
-rwxr-xr-x    1 root     root       478268 Dec 20 05:28 snort-plain

Does anyone know how this version was compiled?  Do I have to have the
database in a specific location?

Thanks in advance for any help,
Pam

I'm including my scripts and config files, basically all default, sorry for
the length of the e-mail, I've removed a lot of the commented stuff and
examples to make it shorter.  Note, my e-mail client is causing stuff to
wrap - there are no carriage returns:
_________________________________________________________________________
/etc/init.d/snortd

#!/bin/sh
# $Id: snortd,v 1.17 2003/12/20 09:25:37 dwittenb Exp $
#
# snortd         Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description:  snort is a lightweight network intrusion detection tool that
\
#               currently detects more than 1100 host and network \
#               vulnerabilities, portscans, backdoors, and more.
#

# Source function library.
. /etc/rc.d/init.d/functions

# Source the local configuration file
. /etc/sysconfig/snort

# Convert the /etc/sysconfig/snort settings to something snort can
# use on the startup line.
if [ "$ALERTMODE"X = "X" ]; then
   ALERTMODE=""
else
   ALERTMODE="-A $ALERTMODE"
fi

if [ "$USER"X = "X" ]; then
   USER="snort"
fi

if [ "$GROUP"X = "X" ]; then
   GROUP="snort"
fi

if [ "$BINARY_LOG"X = "1X" ]; then
   BINARY_LOG="-b"
else
   BINARY_LOG=""
fi

if [ "$CONF"X = "X" ]; then
   CONF="-c /etc/snort/snort.conf"
else
   CONF="-c $CONF"
fi

if [ "$INTERFACE"X = "X" ]; then
   INTERFACE="-i eth0"
else 
   INTERFACE="-i $INTERFACE"
fi

if [ "$DUMP_APP"X = "1X" ]; then
   DUMP_APP="-d"
else
   DUMP_APP=""
fi 

if [ "$NO_PACKET_LOG"X = "1X" ]; then
   NO_PACKET_LOG="-N"
else
   NO_PACKET_LOG=""
fi      

if [ "$PRINT_INTERFACE"X = "1X" ]; then
   PRINT_INTERFACE="-I"
else
   PRINT_INTERFACE=""
fi

if [ "$PASS_FIRST"X = "1X" ]; then
   PASS_FIRST="-o"
else
   PASS_FIRST=""
fi

if [ "$LOGDIR"X = "X" ]; then
   LOGDIR=/var/log/snort
fi


######################################
# Now to the real heart of the matter:

# See how we were called.
case "$1" in
  start)
        echo -n "Starting snort: "
        cd $LOGDIR
        if [ "$INTERFACE" = "-i ALL" ]; then
           for i in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed s/"\/"//g`
           do
                mkdir -p "$LOGDIR/$i"
                chown -R snort:snort $LOGDIR
                daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG
$DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i
$PASS_FIRST
           done
        else
           daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG
$DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR
$PASS_FIRST
        fi
        touch /var/lock/subsys/snort
        echo
        ;;
  stop)
        echo -n "Stopping snort: "
        killproc snort
        rm -f /var/lock/subsys/snort
        echo 
        ;;
  reload)
        echo "Sorry, not implemented yet"
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  condrestart)
        [ -e /var/lock/subsys/snort ] && /etc/init.d/snortd restart
        ;;
  status)
        status snort
        ;;
  *)
        echo "Usage: $0 {start|stop|reload|restart|condrestart|status}"
        exit 2
esac

exit 0


___________________________________________________________________________
/etc/sysconfig/snort

# /etc/sysconfig/snort
# $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $


#### General Configuration

INTERFACE=eth0
CONF=/etc/snort/snort.conf
USER=snort
GROUP=snort
PASS_FIRST=0

#### Logging & Alerting

LOGDIR=/var/log/snort
ALERTMODE=fast
DUMP_APP=1
BINARY_LOG=1
NO_PACKET_LOG=0
PRINT_INTERFACE=0


________________________________________________________________
/etc/snort/snort.conf (password/IP obscured)

#--------------------------------------------------
#   http://www.snort.org     Snort 2.1.0 Ruleset
#     Contact: snort-sigs () lists sourceforge net
#--------------------------------------------------
# $Id: snort.conf,v 1.133 2003/12/18 17:05:07 cazz Exp $
#

var HOME_NET x.x.x.0/xx

# Set up the external network addresses as well.  A good start may be "any"
var EXTERNAL_NET any

# List of DNS servers on your network 
var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network 
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

# other variables
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort/rules

preprocessor frag2

# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------

preprocessor stream4: disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all \
    ports { 80 8080 }

# rpc_decode: normalize RPC traffic
# ---------------------------------

preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector

preprocessor bo

# telnet_decode: Telnet negotiation string normalizer

preprocessor telnet_decode

####################################################################
# Step #3: Configure output plugins
#
output database: log, mysql, user=snort password=******** dbname=snort
host=localhost

include classification.config

include reference.config

####################################################################
# Step #4: Customize your rule set

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules

# Include any thresholding or suppression commands
include threshold.conf


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

snort doesn't write to mysql Ochs, Pam (Mar 01)
- <Possible follow-ups>
- snort doesn't write to mysql Ochs, Pamela T [Contr (HPTI)] (Mar 01)
  - Re: snort doesn't write to mysql Josh Berry (Mar 01)
- snort doesn't write to mysql Ochs, Pam (Mar 02)
- snort doesn't write to mysql Ochs, Pam (Mar 02)