Snort mailing list archives
OpenBSD 3.4 snort--X-->mysql not working and I don't see any errors on startup
From: "Jacob, Raymond A Jr" <raymond.jacob () navy mil>
Date: Thu, 22 Apr 2004 12:33:17 -0400
Question: Why are no alerts being generated? (I appologize in advance for long message.) References: (1)http://openbsddiary.org/index.php?page=snort#ConfigMySQL (not used) (2) http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_faq.html#faq_b1 (3) http://archives.neohapsis.com/archives/snort/2000-06/0181.html (used) Lab equipment: 1. Windows laptop w/NMAP 2. OpenBSD 3.4 on intel w/snort, mysql,acid(and associated software to make acid run) 3. One cross connected twisted pair cable between 1.(laptop) and 2.(one port:ethernet1 on OpenBSD Bridge ) Procedure: 1. (OpenBSD)configure bridging on OpenBSD to monitor two(2) networks running one instance of snort. 2. start snort in sniffer mode: /usr/local/bin/snort -dev -i bridge0 [block nonip, block outbound traffic to lans connected to bridge,allow ip traffic in] 3. (laptop)start nmap up run syn scan. Results:snort dumps traffic to screen. 4. start snort: /usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -D > /dev/null & echo -n ' snort' 5. (laptop)start nmap up run syn scan. Results: database does not grow in size and alerts file is empty. 6.kill snort and run from the command line. /usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -o -N [See: Script started on Wed Apr 21 18:24:42 2004 for screen dump] Results: database does not grow in size and alerts file is empty. Notice alot of arps. Probably because laptop is the only system on this net with an ip address. 7.logged in as snort administrator(not root) mysql> insert into sensor (hostname, interface, filter) VALUES -> ('test1', 'test2', 'test3'); Query OK, 1 row affected (0.03 sec) # try selecting again mysql> select * from sensor; +-----+------------+-----------+--------+ | sid | hostname | interface | filter | +-----+------------+-----------+--------+ | 1 | unknown | bridge0 | NULL | 1 | 2 | test1 | test2 | test3 | 1 +-----+------------+-----------+--------+ Question: Why are no alerts being generated? Data: Script started on Wed Apr 21 18:24:42 2004 machine1# grep snort /etc/snort/snort/snortstart #/etc/snort/snortstart if [ -x /usr/local/bin/snort ]; then #/usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -u snort -g snort -D > /dev/null & echo -n ' snort' /usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -D > /dev/null & echo -n ' snort' #/usr/bin/killall snort > /dev/null 2>&1 && echo - n ' snort' ... machine1# /usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -o -N Running in IDS mode Log directory = /var/log/snort Initializing Network Interface bridge0 OpenPcap() device bridge0 network lookup: bridge0: no IPv4 address assigned --== Initializing Snort ==-- Rule application order changed to Pass->Alert->Log Initializing Output Plugins! Decoding Ethernet on interface bridge0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory: YES alert: NO Apache WhiteSpace: YES alert: YES IIS Delimiter: YES alert: YES IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 database: compiled support for ( mysql ) database: configured to use mysql database: user = xxxx database: password is set database: database name = snort database: host = localhost database: sensor name = unknown:bridge0 database: sensor id = 2 database: schema version = 106 database: using the "alert" facility 1679 Snort rules read... 1679 Option Chains linked into 156 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 +-----------------------[suppression]------------------------------------------ ------------------------------------------------------------------------------- Rule application order: ->pass->activation->dynamic->alert->log --== Initialization Complete ==-- -*> Snort! <*- Version 2.1.2 (Build 25) By Martin Roesch (roesch () sourcefire com, www.snort.org) ^C =============================================================================== Snort analyzed 264 out of 264 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 0 (0.000%) ALERTS: 0 UDP: 9 (3.409%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 255 (96.591%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) =============================================================================== Wireless Stats: Breakdown by type: Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%) =============================================================================== Fragmentation Stats: Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 0 (0.000%) Stream Trackers: 0 Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0 =============================================================================== Final Flow Statistics ,----[ FLOWCACHE STATS ]---------- Memcap: 10485760 Overhead Bytes 16400 used(%0.159130)/blocks (16686/3) Overhead blocks: 1 Could Hold: (73326) IPV4 count: 2 frees: 0 low_time: 1082587587, high_time: 1082587588, diff: 0h:00:01s finds: 9 reversed: 0(%0.000000) find_sucess: 7 find_fail: 2 percent_success: (%77.777778) new_flows: 2 Protocol: 17 (%100.000000) finds: 9 reversed: 0(%0.000000) find_sucess: 7 find_fail: 2 percent_success: (%77.777778) new_flows: 2 database: Closing connection to database "" Snort exiting machine1# exit machine1# exit Script done on Wed Apr 21 18:47:28 2004 Script started on Wed Apr 21 18:54:52 2004 machine1# mysql -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 17 to server version: 3.23.57-log Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> use snort Database changed mysql> show tables; +------------------+ | Tables_in_snort | +------------------+ | acid_ag | | acid_ag_alert | | acid_event | | acid_ip_cache | | data | | detail | | encoding | | event | | flags | | icmphdr | | iphdr | | opt | | protocols | | reference | | reference_system | | schema | | sensor | | services | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 23 rows in set (0.00 sec) mysql> quit Bye machine1# exit machine1# exit Script done on Wed Apr 21 18:55:33 2004 /etc/snort/snort.conf(default from install with comments removed) ========================== var HOME_NET any var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort/rules preprocessor flow: stats_interval 0 hash 2 preprocessor frag2 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor telnet_decode output database: alert, mysql, user=fooman password=chu dbname=snort host=localhost include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/experimental.rules -------------------------------------------- /var/log/messages ================================== Apr 21 14:00:01 machine1 newsyslog[2947]: logfile turned over Apr 21 14:00:01 machine1 syslogd: restart Apr 21 14:04:19 machine1 snort: Final Flow Statistics Apr 21 14:04:19 machine1 snort: Snort exiting Apr 21 14:05:14 machine1 snort: OpenPcap() device bridge0 network lookup: bridge0: no IPv4 address assigned Apr 21 14:05:14 machine1 snort: Initializing daemon mode Apr 21 14:05:14 machine1 snort: PID path stat checked out ok, PID path set to /var/run/ Apr 21 14:05:14 machine1 snort: Writing PID "11540" to file "/var/run//snort_bridge0.pid" Apr 21 14:05:14 machine1 snort: ,-----------[Flow Config]---------------------- Apr 21 14:05:14 machine1 snort: | Stats Interval: 0 Apr 21 14:05:14 machine1 snort: | Hash Method: 2 Apr 21 14:05:14 machine1 snort: | Memcap: 10485760 Apr 21 14:05:14 machine1 snort: | Rows : 4099 Apr 21 14:05:14 machine1 snort: | Overhead Bytes: 16400(%0.16) Apr 21 14:05:14 machine1 snort: `---------------------------------------------- Apr 21 14:05:14 machine1 snort: HttpInspect Config: Apr 21 14:05:14 machine1 snort: GLOBAL CONFIG Apr 21 14:05:14 machine1 snort: Max Pipeline Requests: 0 Apr 21 14:05:14 machine1 snort: Inspection Type: STATELESS Apr 21 14:05:14 machine1 snort: Detect Proxy Usage: NO Apr 21 14:05:14 machine1 snort: IIS Unicode Map Filename: ./unicode.map Apr 21 14:05:14 machine1 snort: IIS Unicode Map Codepage: 1252 Apr 21 14:05:14 machine1 snort: DEFAULT SERVER CONFIG: Apr 21 14:05:14 machine1 snort: Ports: Apr 21 14:05:14 machine1 snort: 80 Apr 21 14:05:14 machine1 snort: 8080 Apr 21 14:05:14 machine1 snort: 8180 Apr 21 14:05:14 machine1 snort: Apr 21 14:05:14 machine1 snort: Flow Depth: 300 Apr 21 14:05:14 machine1 snort: Max Chunk Length: 500000 Apr 21 14:05:14 machine1 snort: Inspect Pipeline Requests: YES Apr 21 14:05:14 machine1 snort: URI Discovery Strict Mode: NO Apr 21 14:05:14 machine1 snort: Allow Proxy Usage: NO Apr 21 14:05:14 machine1 snort: Disable Alerting: NO Apr 21 14:05:14 machine1 snort: Oversize Dir Length: 500 Apr 21 14:05:14 machine1 snort: Only inspect URI: NO Apr 21 14:05:14 machine1 snort: Ascii: YES alert: NO Apr 21 14:05:14 machine1 snort: Double Decoding: YES alert: YES Apr 21 14:05:14 machine1 snort: %U Encoding: YES alert: YES Apr 21 14:05:14 machine1 snort: Bare Byte: YES alert: YES Apr 21 14:05:14 machine1 snort: Base36: OFF Apr 21 14:05:14 machine1 snort: UTF 8: OFF Apr 21 14:05:14 machine1 snort: IIS Unicode: YES alert: YES Apr 21 14:05:14 machine1 snort: Multiple Slash: YES alert: NO Apr 21 14:05:14 machine1 snort: IIS Backslash: YES alert: NO Apr 21 14:05:14 machine1 snort: Directory: YES alert: NO Apr 21 14:05:14 machine1 snort: Apache WhiteSpace: YES alert: YES Apr 21 14:05:14 machine1 snort: IIS Delimiter: YES alert: YES Apr 21 14:05:14 machine1 snort: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Apr 21 14:05:14 machine1 snort: Non-RFC Compliant Characters: Apr 21 14:05:14 machine1 snort: NONE Apr 21 14:05:14 machine1 snort: Apr 21 14:05:14 machine1 snort: rpc_decode arguments: Apr 21 14:05:14 machine1 snort: Ports to decode RPC on: 111 32771 Apr 21 14:05:14 machine1 snort: alert_fragments: INACTIVE Apr 21 14:05:14 machine1 snort: alert_large_fragments: ACTIVE Apr 21 14:05:14 machine1 snort: alert_incomplete: ACTIVE Apr 21 14:05:14 machine1 snort: alert_multiple_requests: ACTIVE Apr 21 14:05:14 machine1 snort: telnet_decode arguments: Apr 21 14:05:14 machine1 snort: Ports to decode telnet on: 21 23 25 119 Apr 21 14:05:14 machine1 snort: Snort sucessfully loaded all rules and checked all rule chains! Apr 21 14:05:14 machine1 snort: Final Flow Statistics Apr 21 14:05:14 machine1 snort: Snort exiting Apr 21 15:00:01 machine1 syslogd: restart Apr 21 15:01:32 machine1 snort: OpenPcap() device bridge0 network lookup: bridge0: no IPv4 address assigned Apr 21 15:01:32 machine1 snort: Initializing daemon mode Apr 21 15:01:32 machine1 snort: PID path stat checked out ok, PID path set to /var/run/ Apr 21 15:01:32 machine1 snort: Writing PID "14219" to file "/var/run//snort_bridge0.pid" Apr 21 15:01:32 machine1 snort: ,-----------[Flow Config]---------------------- Apr 21 15:01:32 machine1 snort: | Stats Interval: 0 Apr 21 15:01:32 machine1 snort: | Hash Method: 2 Apr 21 15:01:32 machine1 snort: | Memcap: 10485760 Apr 21 15:01:32 machine1 snort: | Rows : 4099 Apr 21 15:01:32 machine1 snort: | Overhead Bytes: 16400(%0.16) Apr 21 15:01:32 machine1 snort: `---------------------------------------------- Apr 21 15:01:32 machine1 snort: HttpInspect Config: Apr 21 15:01:32 machine1 snort: GLOBAL CONFIG Apr 21 15:01:32 machine1 snort: Max Pipeline Requests: 0 Apr 21 15:01:32 machine1 snort: Inspection Type: STATELESS Apr 21 15:01:32 machine1 snort: Detect Proxy Usage: NO Apr 21 15:01:32 machine1 snort: IIS Unicode Map Filename: /etc/snort/unicode.map Apr 21 15:01:32 machine1 snort: IIS Unicode Map Codepage: 1252 Apr 21 15:01:32 machine1 snort: DEFAULT SERVER CONFIG: Apr 21 15:01:32 machine1 snort: Ports: Apr 21 15:01:32 machine1 snort: 80 Apr 21 15:01:32 machine1 snort: 8080 Apr 21 15:01:32 machine1 snort: 8180 Apr 21 15:01:32 machine1 snort: Apr 21 15:01:32 machine1 snort: Flow Depth: 300 Apr 21 15:01:32 machine1 snort: Max Chunk Length: 500000 Apr 21 15:01:32 machine1 snort: Inspect Pipeline Requests: YES Apr 21 15:01:32 machine1 snort: URI Discovery Strict Mode: NO Apr 21 15:01:32 machine1 snort: Allow Proxy Usage: NO Apr 21 15:01:32 machine1 snort: Disable Alerting: NO Apr 21 15:01:32 machine1 snort: Oversize Dir Length: 500 Apr 21 15:01:32 machine1 snort: Only inspect URI: NO Apr 21 15:01:32 machine1 snort: Ascii: YES alert: NO Apr 21 15:01:32 machine1 snort: Double Decoding: YES alert: YES Apr 21 15:01:32 machine1 snort: %U Encoding: YES alert: YES Apr 21 15:01:32 machine1 snort: Bare Byte: YES alert: YES Apr 21 15:01:32 machine1 snort: Base36: OFF Apr 21 15:01:32 machine1 snort: UTF 8: OFF Apr 21 15:01:32 machine1 snort: IIS Unicode: YES alert: YES Apr 21 15:01:32 machine1 snort: Multiple Slash: YES alert: NO Apr 21 15:01:32 machine1 snort: IIS Backslash: YES alert: NO Apr 21 15:01:32 machine1 snort: Directory: YES alert: NO Apr 21 15:01:32 machine1 snort: Apache WhiteSpace: YES alert: YES Apr 21 15:01:32 machine1 snort: IIS Delimiter: YES alert: YES Apr 21 15:01:32 machine1 snort: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Apr 21 15:01:32 machine1 snort: Non-RFC Compliant Characters: Apr 21 15:01:32 machine1 snort: NONE Apr 21 15:01:32 machine1 snort: Apr 21 15:01:32 machine1 snort: rpc_decode arguments: Apr 21 15:01:32 machine1 snort: Ports to decode RPC on: 111 32771 Apr 21 15:01:32 machine1 snort: alert_fragments: INACTIVE Apr 21 15:01:32 machine1 snort: alert_large_fragments: ACTIVE Apr 21 15:01:32 machine1 snort: alert_incomplete: ACTIVE Apr 21 15:01:32 machine1 snort: alert_multiple_requests: ACTIVE Apr 21 15:01:32 machine1 snort: telnet_decode arguments: Apr 21 15:01:32 machine1 snort: Ports to decode telnet on: 21 23 25 119 Apr 21 15:01:32 machine1 snort: Snort initialization completed successfully Apr 21 18:20:43 machine1 snort: Final Flow Statistics Apr 21 18:20:43 machine1 snort: Snort exiting Apr 21 19:11:07 machine1 login: 1 LOGIN FAILURE ON ttyC0 Apr 21 19:13:24 machine1 login: 1 LOGIN FAILURE ON ttyC0 Apr 21 20:00:01 machine1 syslogd: restart Apr 21 20:47:40 machine1 login: 1 LOGIN FAILURE ON ttyC0 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- OpenBSD 3.4 snort--X-->mysql not working and I don't see any errors on startup Jacob, Raymond A Jr (Apr 22)