Snort mailing list archives

Re: Snort Mysql Acid Combo

From: "Josh Berry" <josh.berry () netschematics com>
Date: Wed, 4 Feb 2004 12:44:49 -0600 (CST)

How is your init script starting Snort?  If it is using the -A
(full/fast/etc) switch then it will override your mysql configuration in
the snort.conf file.

Martin,

Well I've corrected that, and now hope yet. Thanks

Sam


----- Original Message -----
From: "Martin Olsson" <elof () sentor se>
To: "Sam Osuala" <sam.osuala () logiciel-inc com>
Cc: "snort-users mailinglist" <snort-users () lists sourceforge net>
Sent: Wednesday, February 04, 2004 12:50 PM
Subject: Re: [Snort-users] Snort Mysql Acid Combo


Seems like you've missed an equal sign (=) in your port statement.

output database:  log, mysql, dbname=snort user=root password=root
host=localhost port 3306 detail=full

port=3306


Might be the problem.

/Martin

On Wed, 4 Feb 2004, Sam Osuala wrote:

Martin,

Here's the output from snort -T -c /etc/snort/snort.conf. I/v also

included

my snort.conf at the bottom.

============================================================================

======
Initializing Preprocessors!
Initializing Plug-ins!
database: compiled support for ( mysql )
database: configured to use mysql
database: database name = snort
database:          user = root
database: password is set
database:          host = localhost
database:          port = full
database:   sensor name = 10.0.0.248
database:     sensor id = 1
database: schema version = 106
database: using the "log" facility
->activation->dynamic->alert->pass->log
database: Closing connection to database "snort"

============================================================================

======

My snort.conf file is.........................

======================================================================
var HOME_NET 10.0.0.0/24
# Set up the external network addresses as well.
# A good start may be "any"
var EXTERNAL_NET any
# List of DNS servers on your network
var DNS_SERVERS $HOME_NET
# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
# List of web servers on your network
var HTTP_SERVERS $HOME_NET
# List of sql servers on your network
var SQL_SERVERS $HOME_NET
# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET
# Ports you run web servers on
var HTTP_PORTS 80
# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

var AIM_SERVERS

[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1

2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort

preprocessor frag2

preprocessor stream4: detect_scans, disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor telnet_decode

output database:  log, mysql, dbname=snort user=root password=root
host=localhost port 3306 detail=full

include classification.config

include reference.config

include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules
=======================================================================


Thanks in advance

Sam

----- Original Message -----
From: "Martin Olsson" <elof () sentor se>
To: "Sam Osuala" <sam.osuala () logiciel-inc com>
Cc: <snort-users () lists sourceforge net>
Sent: Wednesday, February 04, 2004 11:24 AM
Subject: Re: [Snort-users] Snort Mysql Acid Combo


On Wed, 4 Feb 2004, Sam Osuala wrote:

1] Redhat Linux 9.2
2] Snort 2.0.6
3] Mysql 4.0.17
4] Acid 0.9.6
5] php 4.3.4
6] zlib-1.1.4
7] libpcap-0.7.2
8] Apache 2.0.48 (not the one that came with the Linux )
9] jgraph 1.14
10] adodb 405
These are all installed in the Linux box above. The issue is that

the

mysql is not getting any logs in the database. If I start my snort

with

"snort -dvC" I get the alerts on the screen. What could be the

problem.

Do I

have to keep the components in different machines?


First run snort in selftest mode (-T) to see if you get any clues

there.

You should see a section like this:
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = foo
database: password is set
database: database name = gazonk
database:          host = 10.20.30.40
database:   sensor name = bar
database:     sensor id = 1
database: schema version = 106
database: using the "log" facility

/Martin





-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



Thanks,
Josh Berry, CISSP
CTO, VP of Product Development
LinkNet-Solutions
469-831-8543
josh.berry () linknet-solutions com



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Mysql Acid Combo Sam Osuala (Feb 04)
- Re: Snort Mysql Acid Combo Martin Olsson (Feb 04)
  - Re: Snort Mysql Acid Combo Sam Osuala (Feb 04)
    - Re: Snort Mysql Acid Combo Martin Olsson (Feb 04)
    - Re: Snort Mysql Acid Combo Sam Osuala (Feb 04)
    - Re: Snort Mysql Acid Combo Josh Berry (Feb 04)
- Re: Snort Mysql Acid Combo Mark Fagan (Feb 04)
  - Re: Snort Mysql Acid Combo Sam Osuala (Feb 04)
- RE: Snort Mysql Acid Combo Michael Steele (Feb 04)
- Re: Snort Mysql Acid Combo Nick Oliver (Feb 04)
- <Possible follow-ups>
- Re: Snort Mysql Acid Combo M. Morgan (Feb 04)