Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FW: No logs in MYSQL Database but logs on localhost logfiles?

From: "Shannon M. Anderson" <sanderson () ecalton com>
Date: Mon, 1 Mar 2004 16:38:35 -0500
 
 
I sure you all love these posts..
 
I found my problem...   I was spitting out  a "-A full" as part of the cmd line structure in init.d script.  This 
inturn was causing some issue with snort. Thus I removed the entry and edited the config file for the output plugin for 
mysql adding in "detail=full".
 
I hope this helps the next person that falls in to this little snar.
 
Thanks
 
-----Original Message-----
From: Shannon M. Anderson 
Sent: Monday, March 01, 2004 3:47 PM
To: 'snort-users () lists sourceforge net'
Subject: No logs in MYSQL Database but logs on localhost logfiles?


I am working on a Router/Firewall/IDS box.  In a default config only watching a single interface I am able to generate 
logs to MYSQL database. But my need was to watch all interfaces for matched traffic, so after a bit of digging I was 
able to find and configure the scripts to watch all interfaces. The local logging seems to be working but I am now not 
able to get logs to SQL. Has anyone come across this type of design/configuration . I want to populate the SQL with all 
matched traffic in detail including packet payload and only log FAST "alerts" to local logging.
 
any thoughts would be welcome
 
 
below is my config and init.d script.
 
 
 
 
#########################
# CONFIG files start here!!!!!!!!
#
#
 
 
 
## variable file###########
ALERTMODE=full
INTERFACE=ALL
PRINT_INTERFACE=1
 
###rc.d/init.d/snort##############################
#!/bin/bash
source /etc/config/rc
source $rc_functions
source $ssl_conf
export CONFDIR=$confdir
export ROOT=$root
source $CONFDIR/snort/snort
 
if [ "$ALERTMODE"X = "X" ]; then
    ALERTMODE=""
else
    ALERTMODE="-A $ALERTMODE"
fi
if [ "$USER"X = "X" ]; then
    USER="snortman"
fi
 
if [ "$GROUP"X = "X" ]; then
    GROUP="snortman"
fi
 
if [ "$BINARY_LOG"X = "1X" ]; then
    BINARY_LOG="-b"
else
    BINARY_LOG=""
fi
 
if [ "$CONF"X = "X" ]; then
    CONF="-c $CONFDIR/snort/snort.conf"
else
    CONF="-c $CONFDIR/$CONF"
fi
 
if [ "$INTERFACE"X = "X" ]; then
    INTERFACE="-i eth0"
else
    INTERFACE="-i $INTERFACE"
fi
 
if [ "$DUMP_APP"X = "1X" ]; then
    DUMP_APP="-d"
else
    DUMP_APP=""
fi
 
if [ "$NO_PACKET_LOG"X = "1X" ]; then
    NO_PACKET_LOG="-N"
else
    NO_PACKET_LOG=""
fi
 
if [ "$PRINT_INTERFACE"X = "1X" ]; then
    PRINT_INTERFACE="-I"
else
    PRINT_INTERFACE=""
fi
 
if [ "$PASS_FIRST"X = "1X" ]; then
    PASS_FIRST="-o"
else
    PASS_FIRST=""
fi
 
if [ "$LOGDIR"X = "X" ]; then
    LOGDIR=/var/log/snort
fi
 
SNORT_PATH=/usr/local/bin
 
######################################
# Now to the real heart of the matter:
# See how we were called.
case "$1" in
   start)
        echo -n "Starting snort: "
        cd $LOGDIR
        if [ "$INTERFACE" = "-i ALL" ]; then
            for i in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed s/"\/"//g`
            do
                 mkdir -p "$LOGDIR/$i"
                 chown -R snortman:snortman $LOGDIR
                 $SNORT_PATH/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER 
-g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST
            done
            for i in `cd /proc/sys/net/ipv4/conf; ls -d ipsec* |sed s/"\/"//g`
            do
                 mkdir -p "$LOGDIR/$i"
                 chown -R snortman:snortman $LOGDIR
                 $SNORT_PATH/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER 
-g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST
            done
        else
           $SNORT_PATH/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g 
$GROUP $CONF -l $LOGDIR $PASS_FIRST
        fi
        touch /var/lock/snort
        echo
        ;;
   stop)
        echo -n "Stopping snort: "
        killproc snort
        rm -f /var/lock/snort
        echo
        ;;
   reload)
        echo "Sorry, not implemented yet"
        ;;
   restart)
        $0 stop
        $0 start
        ;;
   condrestart)
         [ -e /var/lock/snort ] && /etc/init.d/snortd restart
         ;;
   status)
        status snort
        ;;
   *)
        echo "Usage: $0 {start|stop|reload|restart|condrestart|status}"
        exit 2
 esac
 
 exit 0

 
##############################
 
 
 
#################################
#Snort Config####
#################################
var DNS_SERVERS 192.168.3.0/24
var HTTP_PORTS 80
var SQL_SERVERS 192.168.3.0/24
var HTTP_SERVERS 192.168.3.0/24
var SHELLCODE_PORTS !80
var PORT_SCAN_NET 65.35.64.161
var ORACLE_PORTS 1521
var HOME_NET 192.168.3.0/24
var AIM_SERVERS 
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var SMTP_SERVERS 192.168.3.0/24
var TELNET_SERVERS 192.168.3.0/24
var EXTERNAL_NET any
 

preprocessor arpspoof
preprocessor stream4: detect_scans detect_state_problems
preprocessor frag2
preprocessor telnet_decode
preprocessor http_decode: unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor portscan: $PORT_SCAN_NET 4 3
preprocessor bo
preprocessor stream4_reassemble: both
preprocessor rpc_decode: alert_fragments
 
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=sql-access password=********** dbname=ids_db host=192.168.1.222 
sensor_name=development
output database: alert, mysql, user=sql-access password=*********** dbname=ids_db host=192.168.1.222 
sensor_name=development
 
include /etc/classification.config
include /etc/reference.config
 
include /etc/snort/rules/attack-responses.rules
include /etc/snort/rules/backdoor.rules
include /etc/snort/rules/bad-traffic.rules
include /etc/snort/rules/chat.rules
include /etc/snort/rules/ddos.rules
include /etc/snort/rules/deleted.rules
include /etc/snort/rules/dns.rules
include /etc/snort/rules/dos.rules
include /etc/snort/rules/exploit.rules
include /etc/snort/rules/finger.rules
include /etc/snort/rules/ftp.rules
include /etc/snort/rules/imap.rules
include /etc/snort/rules/info.rules
include /etc/snort/rules/misc.rules
include /etc/snort/rules/multimedia.rules
include /etc/snort/rules/mysql.rules
include /etc/snort/rules/netbios.rules
include /etc/snort/rules/nntp.rules
include /etc/snort/rules/oracle.rules
include /etc/snort/rules/other-ids.rules
include /etc/snort/rules/p2p.rules
include /etc/snort/rules/policy.rules
include /etc/snort/rules/pop3.rules
include /etc/snort/rules/porn.rules
include /etc/snort/rules/rpc.rules
include /etc/snort/rules/rservices.rules
include /etc/snort/rules/scan.rules
include /etc/snort/rules/shellcode.rules
include /etc/snort/rules/smtp.rules
include /etc/snort/rules/snmp.rules
include /etc/snort/rules/sql.rules
include /etc/snort/rules/telnet.rules
include /etc/snort/rules/tftp.rules
include /etc/snort/rules/virus.rules
include /etc/snort/rules/web-attacks.rules
include /etc/snort/rules/web-cgi.rules
include /etc/snort/rules/web-client.rules
include /etc/snort/rules/web-coldfusion.rules
include /etc/snort/rules/web-frontpage.rules
include /etc/snort/rules/web-iis.rules
include /etc/snort/rules/web-misc.rules
include /etc/snort/rules/web-php.rules

 
 
 
 
 
############################
Shannon M Anderson
Sr. Systems Engineer
eCalton.com
sanderson () ecalton com
(772)569-4500 ext 226
____________________________________________________
"For every action, there is an equal and opposite malfunction."
Previous By Date Next
Previous By Thread Next

Current thread: