Snort mailing list archives
Re: snort doesn't write to mysql
From: "Josh Berry" <josh.berry () netschematics com>
Date: Mon, 1 Mar 2004 14:04:48 -0600 (CST)
Snort is not logging to the database because you are using the -A fast command line argument, this overrides your configuration file setup.
Hello.
I'm a newbie, but have checked the FAQs, done lots of searching, asked
other
linux-knowledgeable people, and I still can't figure this out. I've
likely
done something stupid - can anyone help me find it?
I'm running snort 2.1.0-2 on RedHat 9, with mysql, apache, php and acid.
I
have configured the output database line in snort.conf to point to the
mysql
database, but I see no sign that snort is even attempting to connect to
the
database.
snort and snort-mysql are installed from the binary rpms available from
snort.org;
[root@fsf052 snort]# rpm -qa |grep snort
snort-mysql-2.1.0-2
snort-2.1.0-2
snort appears to be using snort.conf;
ps -ef |grep snort
snort 3849 1 0 16:15 ? 00:00:00 /usr/sbin/snort -A fast -b
-d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
However, I added "output log_tcpdump: tcpdump.log" to the snort.conf and
found no tcpdump.log when I restarted the service and ran the scanner
against it. Just to be sure, I created the empty file, gave the snort
user
pemissions on it, restarted the service, and ran the scanner again - the
file remained empty. Does this mean the output settings in snort.conf are
being overridden or ignored?
It is running snort-mysql;
ls -l /usr/sbin |grep snort
lrwxrwxrwx 1 root root 21 Feb 20 10:37 snort ->
/usr/sbin/snort-mysql
-rwxr-xr-x 1 root root 478797 Dec 20 05:22 snort-mysql
-rwxr-xr-x 1 root root 478268 Dec 20 05:28 snort-plain
Does anyone know how this version was compiled? Do I have to have the
database in a specific location?
Thanks in advance for any help,
Pam
I'm including my scripts and config files, basically all default, sorry
for
the length of the e-mail, I've removed a lot of the commented stuff and
examples to make it shorter. Note, my e-mail client is causing stuff to
wrap - there are no carriage returns:
_________________________________________________________________________
/etc/init.d/snortd
#!/bin/sh
# $Id: snortd,v 1.17 2003/12/20 09:25:37 dwittenb Exp $
#
# snortd Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description: snort is a lightweight network intrusion detection tool
that
\
# currently detects more than 1100 host and network \
# vulnerabilities, portscans, backdoors, and more.
#
# Source function library.
. /etc/rc.d/init.d/functions
# Source the local configuration file
. /etc/sysconfig/snort
# Convert the /etc/sysconfig/snort settings to something snort can
# use on the startup line.
if [ "$ALERTMODE"X = "X" ]; then
ALERTMODE=""
else
ALERTMODE="-A $ALERTMODE"
fi
if [ "$USER"X = "X" ]; then
USER="snort"
fi
if [ "$GROUP"X = "X" ]; then
GROUP="snort"
fi
if [ "$BINARY_LOG"X = "1X" ]; then
BINARY_LOG="-b"
else
BINARY_LOG=""
fi
if [ "$CONF"X = "X" ]; then
CONF="-c /etc/snort/snort.conf"
else
CONF="-c $CONF"
fi
if [ "$INTERFACE"X = "X" ]; then
INTERFACE="-i eth0"
else
INTERFACE="-i $INTERFACE"
fi
if [ "$DUMP_APP"X = "1X" ]; then
DUMP_APP="-d"
else
DUMP_APP=""
fi
if [ "$NO_PACKET_LOG"X = "1X" ]; then
NO_PACKET_LOG="-N"
else
NO_PACKET_LOG=""
fi
if [ "$PRINT_INTERFACE"X = "1X" ]; then
PRINT_INTERFACE="-I"
else
PRINT_INTERFACE=""
fi
if [ "$PASS_FIRST"X = "1X" ]; then
PASS_FIRST="-o"
else
PASS_FIRST=""
fi
if [ "$LOGDIR"X = "X" ]; then
LOGDIR=/var/log/snort
fi
######################################
# Now to the real heart of the matter:
# See how we were called.
case "$1" in
start)
echo -n "Starting snort: "
cd $LOGDIR
if [ "$INTERFACE" = "-i ALL" ]; then
for i in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed
s/"\/"//g`
do
mkdir -p "$LOGDIR/$i"
chown -R snort:snort $LOGDIR
daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG
$NO_PACKET_LOG
$DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i
$PASS_FIRST
done
else
daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG
$DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l
$LOGDIR
$PASS_FIRST
fi
touch /var/lock/subsys/snort
echo
;;
stop)
echo -n "Stopping snort: "
killproc snort
rm -f /var/lock/subsys/snort
echo
;;
reload)
echo "Sorry, not implemented yet"
;;
restart)
$0 stop
$0 start
;;
condrestart)
[ -e /var/lock/subsys/snort ] && /etc/init.d/snortd restart
;;
status)
status snort
;;
*)
echo "Usage: $0 {start|stop|reload|restart|condrestart|status}"
exit 2
esac
exit 0
___________________________________________________________________________
/etc/sysconfig/snort
# /etc/sysconfig/snort
# $Id: snort.sysconfig,v 1.8 2003/09/19 05:18:12 dwittenb Exp $
#### General Configuration
INTERFACE=eth0
CONF=/etc/snort/snort.conf
USER=snort
GROUP=snort
PASS_FIRST=0
#### Logging & Alerting
LOGDIR=/var/log/snort
ALERTMODE=fast
DUMP_APP=1
BINARY_LOG=1
NO_PACKET_LOG=0
PRINT_INTERFACE=0
________________________________________________________________
/etc/snort/snort.conf (password/IP obscured)
#--------------------------------------------------
# http://www.snort.org Snort 2.1.0 Ruleset
# Contact: snort-sigs () lists sourceforge net
#--------------------------------------------------
# $Id: snort.conf,v 1.133 2003/12/18 17:05:07 cazz Exp $
#
var HOME_NET x.x.x.0/xx
# Set up the external network addresses as well. A good start may be
"any"
var EXTERNAL_NET any
# List of DNS servers on your network
var DNS_SERVERS $HOME_NET
# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
# List of web servers on your network
var HTTP_SERVERS $HOME_NET
# List of sql servers on your network
var SQL_SERVERS $HOME_NET
# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET
# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80
# Ports you do oracle attacks on
var ORACLE_PORTS 1521
# other variables
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort/rules
preprocessor frag2
# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all \
ports { 80 8080 }
# rpc_decode: normalize RPC traffic
# ---------------------------------
preprocessor rpc_decode: 111 32771
# bo: Back Orifice detector
preprocessor bo
# telnet_decode: Telnet negotiation string normalizer
preprocessor telnet_decode
####################################################################
# Step #3: Configure output plugins
#
output database: log, mysql, user=snort password=******** dbname=snort
host=localhost
include classification.config
include reference.config
####################################################################
# Step #4: Customize your rule set
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
# Include any thresholding or suppression commands
include threshold.conf
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Thanks, Josh Berry, CISSP CTO, VP of Product Development LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com Thanks, Josh Berry, CISSP CTO, VP of Product Development LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort doesn't write to mysql Ochs, Pam (Mar 01)
- <Possible follow-ups>
- snort doesn't write to mysql Ochs, Pamela T [Contr (HPTI)] (Mar 01)
- Re: snort doesn't write to mysql Josh Berry (Mar 01)
- snort doesn't write to mysql Ochs, Pam (Mar 02)
- snort doesn't write to mysql Ochs, Pam (Mar 02)