Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: output module bug in 2.4.3-RC3

From: Michael W Cocke <cocke () catherders com>
Date: Mon, 23 Jan 2006 18:18:39 -0500
To be honest, I have more faith in my ability to just forward
verything to the queue than to just try to seperate one thing out, but
you just gave me an interesting idea.  You mean snort _q might be
interfering with the mysql packets, which snort without -q isn'?

Lemme go add an accept rule for that port.

Mike-



On Mon, 23 Jan 2006 18:12:03 -0500, you wrote:


What if you were to start with something simple in the iptables rules
that sent packets to queue, like icmp only, or some unneeded service,
like ftp or telnet.  This will ensure that the queuing will not
interfere with writing to mysql and will give you a limited testbed in
order to work to get the queueing working properly.

Axton Grams


On 1/23/06, Michael W Cocke <cocke () catherders com> wrote:


<sigh>  What I forgot to write was that I'm currently running
snort_inline _AND_ snort, exactly like this -

snort_inline -c /etc/snort/snort.conf -Q
snort -c /etc/snort/snort.conf

If I drop the -Q from the snort command line (or the snort_inline
command line), database writes work fine.  What I have no confidence
in and no way to test is if anything is actually being done with the
packets in the queue.

Database connectivity is working fine - as long as I don't try to use
the QUEUE facility in either snort or snort_inline.

Mike-


On Mon, 23 Jan 2006 17:14:14 -0500, you wrote:


First, verify connectivity to the db host using the mysql client on
the sensor?  should be something along the lines of:

# mysql -p
Enter password: xxx
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 28 to server version: x.x.x


Did you configure the db for logging use in snort.conf?  The line
should look something like:

output database: log, mysql, user=<user> password=<passsword>
dbname=<db name> host=<host>

If so, did you create the tables in the db for snort to use to log the
alerts using ./snort-2.4.3/schemas/create_mysql?

If so, did you give the proper grants to the tables for
insert/update/delete, where appropriate, to the user defined in the
snort.conf file?

Axton Grams


On 1/23/06, Michael W Cocke <cocke () catherders com> wrote:

I was absolutely certain that it was something that I did wrong, so I
went back to the beginning, reinstalled all the requires, compiled
snort from scratch, turned on every log file I could find, and built a
rule to log every occurence of GET on port 80.

I've tried both snort and snort-inline compiled with --enable-inline
and --with-mysql.  Running with this command line snort -Q -c
/etc/snort/snort.conf -v (replace snort with snort_inline as you
wish).  I get lots of screen activity from the -v, but snort doesn't
write anything to a mysql database. Neither does snort_inline
2.4.3-RC3, compiled with the same options.

If anyone has a suggestion or would like me to try something, email
me.


Mike-
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed 
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: