Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: TCP and ACID

From: "Michael Steele" <michaels () winsnort com>
Date: Wed, 31 Mar 2004 14:55:18 -0800
Do a TCPDump on port 1433 and make SURE you are getting alerts.

Telnet <IP_Address> 1433 and you should get a response back from the MSSQL
database.

Make sure your HONE_NET is correct. Try "HOME_NET any"

Is there a way to compile this without using FLEXResp?

Do you have libnetNT.dll installed?

Kindest regards, 
Michael...

WINSNORT.com Management Team Member
-- 
Pick up your FREE Windows or UNIX Snort installation guides       
mailto:support () winsnort com
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org




-----Original Message-----
From: Kromodimedjo, John [mailto:kromodimedjoj () unaids org]
Sent: Wednesday, March 31, 2004 1:48 PM
To: Michael Steele; snort-users () lists sourceforge net
Subject: RE: [Snort-users] TCP and ACID

Hi thanks for your reply.



1) Is Snort really running?

Yes.


2) snort -v (You should see traffic)

Yes, I do - lots of traffic


3) Are you on a switch?

Nope.


4) snort <full run line> -T (This should give you some useful

information)
Everything looks OK - See attached snortrun.txt



5) TCPDump the port to see if traffic is really getting there

Yes....all is fine


6) Check the logs for errors

No errors


7) is Snort creating the alert.ids in the log folder?

Yes is being created and has data.

I have included my snort.conf file. Do you think the 2 lines below can
be together because I got a MSSQL error too...duplicate primary key but
if I take one of the line out it does not.

output database: log, mssql, user=snort password=snort123 dbname=snort
host=158.232.85.36 port=1433 sensor_name=GE-3E-06

output database: alert, mssql, user=snort password=snort123 dbname=snort
host=158.232.85.36 port=1433 sensor_name=GE-3E-06


Million thanks for your help.


John Kromodimedjo
UNAIDS - Geneva
----------------------------------------------------



Kindest regards,

The WINSNORT.com Management Team
--
Pick up your FREE Windows or UNIX Snort installation guides
mailto:support () winsnort com
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org



-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-
admin () lists sourceforge net] On Behalf Of Kromodimedjo, John
Sent: Wednesday, March 31, 2004 4:56 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] TCP and ACID

Hi all,

I have installed snort with ACID on MSSQL. So, far so good. I have

left

it running for one night and I know it captured TCP packets but

nothing

comes up in ACID.

Do you know what I am doing wrong??

Here is part of my snort.conf.

Thanks.

John
UNAIDS-Geneva


-----------------------------------


var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521

var AIM_SERVERS


[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,

64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

var RULE_PATH d:\snort\rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500


preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode

preprocessor portscan:$HOME_NET 4 3 d:\snort\log\portscan.log

output alert_fast:alert.ids

output database: log, mssql, user=snort password=snort123 dbname=snort
host=158.232.85.36 port=1433 sensor_name=GE-3E-06
output database: alert, mssql, user=snort password=snort123

dbname=snort

host=158.232.85.36 port=1433 sensor_name=GE-3E-06


include d:\snort\etc\classification.config
include d:\snort\etc\reference.config




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users






-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: