Snort mailing list archives
FW: No logs in MYSQL Database but logs on localhost logfiles?
From: "Shannon M. Anderson" <sanderson () ecalton com>
Date: Mon, 1 Mar 2004 16:38:35 -0500
I sure you all love these posts.. I found my problem... I was spitting out a "-A full" as part of the cmd line structure in init.d script. This inturn was causing some issue with snort. Thus I removed the entry and edited the config file for the output plugin for mysql adding in "detail=full". I hope this helps the next person that falls in to this little snar. Thanks -----Original Message----- From: Shannon M. Anderson Sent: Monday, March 01, 2004 3:47 PM To: 'snort-users () lists sourceforge net' Subject: No logs in MYSQL Database but logs on localhost logfiles? I am working on a Router/Firewall/IDS box. In a default config only watching a single interface I am able to generate logs to MYSQL database. But my need was to watch all interfaces for matched traffic, so after a bit of digging I was able to find and configure the scripts to watch all interfaces. The local logging seems to be working but I am now not able to get logs to SQL. Has anyone come across this type of design/configuration . I want to populate the SQL with all matched traffic in detail including packet payload and only log FAST "alerts" to local logging. any thoughts would be welcome below is my config and init.d script. ######################### # CONFIG files start here!!!!!!!! # # ## variable file########### ALERTMODE=full INTERFACE=ALL PRINT_INTERFACE=1 ###rc.d/init.d/snort############################## #!/bin/bash source /etc/config/rc source $rc_functions source $ssl_conf export CONFDIR=$confdir export ROOT=$root source $CONFDIR/snort/snort if [ "$ALERTMODE"X = "X" ]; then ALERTMODE="" else ALERTMODE="-A $ALERTMODE" fi if [ "$USER"X = "X" ]; then USER="snortman" fi if [ "$GROUP"X = "X" ]; then GROUP="snortman" fi if [ "$BINARY_LOG"X = "1X" ]; then BINARY_LOG="-b" else BINARY_LOG="" fi if [ "$CONF"X = "X" ]; then CONF="-c $CONFDIR/snort/snort.conf" else CONF="-c $CONFDIR/$CONF" fi if [ "$INTERFACE"X = "X" ]; then INTERFACE="-i eth0" else INTERFACE="-i $INTERFACE" fi if [ "$DUMP_APP"X = "1X" ]; then DUMP_APP="-d" else DUMP_APP="" fi if [ "$NO_PACKET_LOG"X = "1X" ]; then NO_PACKET_LOG="-N" else NO_PACKET_LOG="" fi if [ "$PRINT_INTERFACE"X = "1X" ]; then PRINT_INTERFACE="-I" else PRINT_INTERFACE="" fi if [ "$PASS_FIRST"X = "1X" ]; then PASS_FIRST="-o" else PASS_FIRST="" fi if [ "$LOGDIR"X = "X" ]; then LOGDIR=/var/log/snort fi SNORT_PATH=/usr/local/bin ###################################### # Now to the real heart of the matter: # See how we were called. case "$1" in start) echo -n "Starting snort: " cd $LOGDIR if [ "$INTERFACE" = "-i ALL" ]; then for i in `cd /proc/sys/net/ipv4/conf; ls -d eth* |sed s/"\/"//g` do mkdir -p "$LOGDIR/$i" chown -R snortman:snortman $LOGDIR $SNORT_PATH/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST done for i in `cd /proc/sys/net/ipv4/conf; ls -d ipsec* |sed s/"\/"//g` do mkdir -p "$LOGDIR/$i" chown -R snortman:snortman $LOGDIR $SNORT_PATH/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -i $i -u $USER -g $GROUP $CONF -l $LOGDIR/$i $PASS_FIRST done else $SNORT_PATH/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l $LOGDIR $PASS_FIRST fi touch /var/lock/snort echo ;; stop) echo -n "Stopping snort: " killproc snort rm -f /var/lock/snort echo ;; reload) echo "Sorry, not implemented yet" ;; restart) $0 stop $0 start ;; condrestart) [ -e /var/lock/snort ] && /etc/init.d/snortd restart ;; status) status snort ;; *) echo "Usage: $0 {start|stop|reload|restart|condrestart|status}" exit 2 esac exit 0 ############################## ################################# #Snort Config#### ################################# var DNS_SERVERS 192.168.3.0/24 var HTTP_PORTS 80 var SQL_SERVERS 192.168.3.0/24 var HTTP_SERVERS 192.168.3.0/24 var SHELLCODE_PORTS !80 var PORT_SCAN_NET 65.35.64.161 var ORACLE_PORTS 1521 var HOME_NET 192.168.3.0/24 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var SMTP_SERVERS 192.168.3.0/24 var TELNET_SERVERS 192.168.3.0/24 var EXTERNAL_NET any preprocessor arpspoof preprocessor stream4: detect_scans detect_state_problems preprocessor frag2 preprocessor telnet_decode preprocessor http_decode: unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor portscan: $PORT_SCAN_NET 4 3 preprocessor bo preprocessor stream4_reassemble: both preprocessor rpc_decode: alert_fragments output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user=sql-access password=********** dbname=ids_db host=192.168.1.222 sensor_name=development output database: alert, mysql, user=sql-access password=*********** dbname=ids_db host=192.168.1.222 sensor_name=development include /etc/classification.config include /etc/reference.config include /etc/snort/rules/attack-responses.rules include /etc/snort/rules/backdoor.rules include /etc/snort/rules/bad-traffic.rules include /etc/snort/rules/chat.rules include /etc/snort/rules/ddos.rules include /etc/snort/rules/deleted.rules include /etc/snort/rules/dns.rules include /etc/snort/rules/dos.rules include /etc/snort/rules/exploit.rules include /etc/snort/rules/finger.rules include /etc/snort/rules/ftp.rules include /etc/snort/rules/imap.rules include /etc/snort/rules/info.rules include /etc/snort/rules/misc.rules include /etc/snort/rules/multimedia.rules include /etc/snort/rules/mysql.rules include /etc/snort/rules/netbios.rules include /etc/snort/rules/nntp.rules include /etc/snort/rules/oracle.rules include /etc/snort/rules/other-ids.rules include /etc/snort/rules/p2p.rules include /etc/snort/rules/policy.rules include /etc/snort/rules/pop3.rules include /etc/snort/rules/porn.rules include /etc/snort/rules/rpc.rules include /etc/snort/rules/rservices.rules include /etc/snort/rules/scan.rules include /etc/snort/rules/shellcode.rules include /etc/snort/rules/smtp.rules include /etc/snort/rules/snmp.rules include /etc/snort/rules/sql.rules include /etc/snort/rules/telnet.rules include /etc/snort/rules/tftp.rules include /etc/snort/rules/virus.rules include /etc/snort/rules/web-attacks.rules include /etc/snort/rules/web-cgi.rules include /etc/snort/rules/web-client.rules include /etc/snort/rules/web-coldfusion.rules include /etc/snort/rules/web-frontpage.rules include /etc/snort/rules/web-iis.rules include /etc/snort/rules/web-misc.rules include /etc/snort/rules/web-php.rules ############################ Shannon M Anderson Sr. Systems Engineer eCalton.com sanderson () ecalton com (772)569-4500 ext 226 ____________________________________________________ "For every action, there is an equal and opposite malfunction."
Current thread:
- No logs in MYSQL Database but logs on localhost logfiles? Shannon M. Anderson (Mar 01)
- <Possible follow-ups>
- FW: No logs in MYSQL Database but logs on localhost logfiles? Shannon M. Anderson (Mar 01)