Snort mailing list archives
Re: Why can't I see tcp flags for a triggered alert (snort+base)
From: Joel Esler <eslerj () gmail com>
Date: Thu, 22 Jan 2009 10:51:26 -0500
John, Don't think you screwed anything up. I'd like you to try something, if Snort can log directly to the db, does it log the tcp flags? Joel On Jan 22, 2009, at 10:48 AM, John Huss allegedly wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1I see nothing in any of your pastings that indicate that something wouldn't be operating correctly. You are using barnyard I am assuming? JoelHello again Joel, Wow, thank you for continuing to help me - it is very appreciated - I'm completely stuck now and don't know what to try next. Yes I use barnyard and that is adding the alerts to Mysql for me. The config file and runtime args are copied below should that help: - ----- /etc/snort/barnyard.conf ----- config hostname: 1.2.3.4 config interface: eth1 output alert_acid_db: mysql, sensor_id 1, database snort, server 127.0.0.1, user snort, password snort output log_acid_db: mysql, sensor_id 1, database snort, server 127.0.0.1, user snort, password snort - ----- cli-args ----- /usr/bin/barnyard -D -c /etc/snort/barnyard.conf -d /var/log/snort -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -w /var/log/snort/barnyard.waldo -L /var/log/snort -a /var/log/snort/archive -f snort.log -X /var/run/barnyard.pid - - I recall having problems when I setup barnyard in that in Mysql I had no entry in the sensor table. Once I added an entry barnyard was then able to process the snort logs and store alert data. Could I have screwed up something by doing that? *digs out my notes* Here's what I added: insert into sensor set hostname='0.0.0.0', interface='eth1', filter='NULL',detail='1', encoding='0', last_cid='1'; This pc has no ip address configured on interface eth1. Sorry if I'm being stupid and/or have screwed things up! Kind Regards, Johnny -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl4lUoACgkQ3CnaOmsSwV8w8gCgzmit7pC03xxHTGrFPkykY+wE FBAAoK1mKeH1cupT+ayVSv0l3e1a838Z =BHlZ -----END PGP SIGNATURE-----
-- Joel Esler http://www.joelesler.net http://www.twitter.com/joelesler [m] ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 22)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) pieter claassen (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 23)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) John Huss (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Joel Esler (Jan 21)
- Re: Why can't I see tcp flags for a triggered alert (snort+base) Shirk Dog (Jan 22)