Snort mailing list archives
Re: Snort Mysql Acid Combo
From: "Josh Berry" <josh.berry () netschematics com>
Date: Wed, 4 Feb 2004 12:44:49 -0600 (CST)
How is your init script starting Snort? If it is using the -A (full/fast/etc) switch then it will override your mysql configuration in the snort.conf file.
Martin, Well I've corrected that, and now hope yet. Thanks Sam ----- Original Message ----- From: "Martin Olsson" <elof () sentor se> To: "Sam Osuala" <sam.osuala () logiciel-inc com> Cc: "snort-users mailinglist" <snort-users () lists sourceforge net> Sent: Wednesday, February 04, 2004 12:50 PM Subject: Re: [Snort-users] Snort Mysql Acid ComboSeems like you've missed an equal sign (=) in your port statement. output database: log, mysql, dbname=snort user=root password=root host=localhost port 3306 detail=full port=3306 Might be the problem. /Martin On Wed, 4 Feb 2004, Sam Osuala wrote:Martin, Here's the output from snort -T -c /etc/snort/snort.conf. I/v alsoincludedmy snort.conf at the bottom.================================================================================== Initializing Preprocessors! Initializing Plug-ins! database: compiled support for ( mysql ) database: configured to use mysql database: database name = snort database: user = root database: password is set database: host = localhost database: port = full database: sensor name = 10.0.0.248 database: sensor id = 1 database: schema version = 106 database: using the "log" facility ->activation->dynamic->alert->pass->log database: Closing connection to database "snort"================================================================================== My snort.conf file is......................... ====================================================================== var HOME_NET 10.0.0.0/24 # Set up the external network addresses as well. # A good start may be "any" var EXTERNAL_NET any # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # Ports you run web servers on var HTTP_PORTS 80 # Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521 var AIM_SERVERS[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] # Path to your rules files (this can be a relative path) var RULE_PATH /etc/snort preprocessor frag2 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode output database: log, mysql, dbname=snort user=root password=root host=localhost port 3306 detail=full include classification.config include reference.config include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules ======================================================================= Thanks in advance Sam ----- Original Message ----- From: "Martin Olsson" <elof () sentor se> To: "Sam Osuala" <sam.osuala () logiciel-inc com> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, February 04, 2004 11:24 AM Subject: Re: [Snort-users] Snort Mysql Acid ComboOn Wed, 4 Feb 2004, Sam Osuala wrote:1] Redhat Linux 9.2 2] Snort 2.0.6 3] Mysql 4.0.17 4] Acid 0.9.6 5] php 4.3.4 6] zlib-1.1.4 7] libpcap-0.7.2 8] Apache 2.0.48 (not the one that came with the Linux ) 9] jgraph 1.14 10] adodb 405 These are all installed in the Linux box above. The issue is thatthemysql is not getting any logs in the database. If I start my snortwith"snort -dvC" I get the alerts on the screen. What could be theproblem.Do Ihave to keep the components in different machines?First run snort in selftest mode (-T) to see if you get any cluesthere.You should see a section like this: database: compiled support for ( mysql ) database: configured to use mysql database: user = foo database: password is set database: database name = gazonk database: host = 10.20.30.40 database: sensor name = bar database: sensor id = 1 database: schema version = 106 database: using the "log" facility /Martin------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Thanks, Josh Berry, CISSP CTO, VP of Product Development LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Mysql Acid Combo Sam Osuala (Feb 04)
- Re: Snort Mysql Acid Combo Martin Olsson (Feb 04)
- Re: Snort Mysql Acid Combo Sam Osuala (Feb 04)
- Re: Snort Mysql Acid Combo Martin Olsson (Feb 04)
- Re: Snort Mysql Acid Combo Sam Osuala (Feb 04)
- Re: Snort Mysql Acid Combo Josh Berry (Feb 04)
- Re: Snort Mysql Acid Combo Sam Osuala (Feb 04)
- Re: Snort Mysql Acid Combo Martin Olsson (Feb 04)
- Re: Snort Mysql Acid Combo Sam Osuala (Feb 04)
- <Possible follow-ups>
- Re: Snort Mysql Acid Combo M. Morgan (Feb 04)