Snort mailing list archives
RE: My BASE did not have any alerts
From: "Adam Kliarsky" <360air () comcast net>
Date: Mon, 18 Apr 2005 21:01:17 -0700
Yes, when you login to mysql, use the user specified in the snort config file, grab the snort db (if snort is the db listed in snort.conf/base_conf.php) and display the tables to verify everything is setup: [user@localhost ~]$mysql -u snort -p <password> mysql>use snort; mysql>show tables; Any luck after running snort (anything showing up on the main console?) Aslo, Patrick Harper has posted some good papers w/ Snort/MySQL/BASE etc - you may find these useful you can find the latest here - http://www.internetsecurityguru.com -----Original Message----- From: mr leokenzie [mailto:tenminustwo () hotmail com] Sent: Monday, April 18, 2005 8:13 PM To: 360air () comcast net Subject: RE: [Snort-users] My BASE did not have any alerts I can run Snort but what do you mean by "did you verify that you can login to MySQL with the user supplied in snort.conf?" i will just do a mysql -p and enter my password to go to the mysql> prompt. Is that correct? After all that is done will nessus's scan show some alert stats? Thanks alot
From: "Adam Kliarsky" <360air () comcast net> Reply-To: <360air () comcast net> To: "'mr leokenzie'" <tenminustwo () hotmail com>,<snort-users () lists sourceforge net> Subject: RE: [Snort-users] My BASE did not have any alerts Date: Sun, 17 Apr 2005 09:19:36 -0700 Yeah, Nessus should produce all sorts of red on your base console Ok, assuming you're on a *nix system, do the following 1. check for the running snort process ("ps -aux | grep snort") You should see two entries if snort is running (one for the process, and one for your ps query) If snort is not running, start it up ("snort -c <path to snort.conf> -i <interface>") 2. packet dump on the same interface to make sure libpcap is working and capturing packets - "snort -dv -i <interface>" - this will display the packets to the screen so you can check 3. check the logs to see if you are getting mysql login errors or other similar - (/var/log/messages) 4. did you verify that you can login to MySQL with the user supplied in snort.conf? 5. check base_conf.php: - $Dbtype = "mysql"; - $alert_dbname = "snort"; - $alert_host = "localhost"; - $alert_user = "snort"; - $alert_password = "your own password"; Let me know if that produces anything - Adam -----Original Message----- From: mr leokenzie [mailto:tenminustwo () hotmail com] Sent: Sunday, April 17, 2005 8:38 AM To: 360air () comcast net Subject: RE: [Snort-users] My BASE did not have any alerts 1. im not sure whether i started running snort, but i did run the database 2. I have not check whether theres error 3. output plugin is configured as follows (output database: log, mysql, user=snort password=myown password dbname=snort host=localhost) 4. what do you mean by dump on the interface to ensure it receives the packet When i scan nessus, does base actually shows the results and stats? ThanksFrom: "Adam Kliarsky" <360air () comcast net> Reply-To: <360air () comcast net> To: "'mr leokenzie'" <tenminustwo () hotmail com>,<snort-users () lists sourceforge net> Subject: RE: [Snort-users] My BASE did not have any alerts Date: Sat, 16 Apr 2005 18:37:26 -0700 This could be related to several things - can you describe your system (platform, db, etc)? - did you verify snort & database processes are running? Did you restart them? - do you see any errors (/var/log/messages) - is the output plugin in snort.conf configured properly (output database: log, mysql, user=??? password=??? dbname=??? host=localhost) - did you dump on the interface to ensure you're receiving packets? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of mr leokenzie Sent: Friday, April 15, 2005 12:33 AM To: snort-users () lists sourceforge net Subject: [Snort-users] My BASE did not have any alerts What have I done wrong? I did a scan with nessus but when i go to my BASE website it did not display anything. Why is that? I make it focus on port 80 and target it at my own ip address. Please kindly Help. Thanks _________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfeeR Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________________ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement ------------------------------------------------------- This SF.Net email is sponsored by: New Crystal Reports XI. Version 11 adds new functionality designed to reduce time involved in creating, integrating, and deploying reporting solutions. Free runtime info, new features, or free trial, at: http://www.businessobjects.com/devxi/728 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- My BASE did not have any alerts mr leokenzie (Apr 15)
- Re: My BASE did not have any alerts Kevin Johnson (Apr 16)
- RE: My BASE did not have any alerts Adam Kliarsky (Apr 16)
- <Possible follow-ups>
- RE: My BASE did not have any alerts Adam Kliarsky (Apr 17)
- RE: My BASE did not have any alerts Adam Kliarsky (Apr 17)
- management console hans (Apr 18)
- Message not available
- Re: management console hans (Apr 20)
- restarting snort and archive move failed on base hans (Apr 20)
- Re: restarting snort and archive move failed on base hans (Apr 27)
- management console hans (Apr 18)