Snort mailing list archives

Re: MySQL support for Snort 2.9.4

From: Kaya Saman <kayasaman () gmail com>
Date: Wed, 12 Dec 2012 02:25:39 +0000
Well, as suggested I upgraded to Snort 2.9.4.

I cleared out the old config and libraries completely then did a 'fresh' 
install.

Now with the new version I am still at the same place I was last time.

I modified the old version of Snort to include any .rule file that was 
in the /etc/snort/rules directory and basically it hung and wouldn't start?

Same issue for 2.9.4 with clean install, I added the 2.9.3.1 .rules 
files into the rules/ dir then added them to snort.conf.

The output now is:

| gen-id=1      sig-id=2406743    type=Limit     tracking=src count=1   
seconds=60
| gen-id=1      sig-id=2404009    type=Limit     tracking=src count=1   
seconds=3600
| gen-id=1      sig-id=2406742    type=Limit     tracking=src count=1   
seconds=60
| gen-id=1      sig-id=2404012    type=Limit     tracking=src count=1   
seconds=3600
| gen-id=1      sig-id=2406745    type=Limit     tracking=src count=1   
seconds=60
| gen-id=1      sig-id=2404011    type=Limit     tracking=src count=1   
seconds=3600
| gen-id=1      sig-id=2406744    type=Limit     tracking=src count=1   
seconds=60
| gen-id=1      sig-id=2404014    type=Limit     tracking=src count=1   
seconds=3600
| gen-id=1      sig-id=2404013    type=Limit     tracking=src count=1   
seconds=3600
| gen-id=1      sig-id=2013385    type=Limit     tracking=src count=1   
seconds=360
| gen-id=1      sig-id=2000031    type=Limit     tracking=dst count=1   
seconds=60
| gen-id=1      sig-id=2500005    type=Limit     tracking=src count=1   
seconds=60
| gen-id=1      sig-id=2500004    type=Limit     tracking=src count=1   
seconds=60
| gen-id=1      sig-id=2500007    type=Limit     tracking=src count=1   
seconds=60
| gen-id=1      sig-id=2500006    type=Limit     tracking=src count=1   
seconds=60
| gen-id=1      sig-id=2500009    type=Limit     tracking=src count=1   
seconds=60
| gen-id=1      sig-id=2500008    type=Limit     tracking=src count=1   
seconds=60
| gen-id=1      sig-id=2500011    type=Limit     tracking=src count=1   
seconds=60
| gen-id=1      sig-id=2500010    type=Limit     tracking=src count=1   
seconds=60
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: 
activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
WARNING: 'ignore_any_rules' option for Stream5 UDP disabled because of 
UDP rule with flow or flowbits option.
ICMP tracking disabled, no ICMP sessions allocated
IP tracking disabled, no IP sessions allocated
WARNING: flowbits key 'file.mppl' is set but not ever checked.
WARNING: flowbits key 'ET.RBN.Malvertiser' is set but not ever checked.
WARNING: flowbits key 'file.autodesk_max' is set but not ever checked.
WARNING: flowbits key 'file.cy3' is set but not ever checked.
WARNING: flowbits key 'file.file.tar' is set but not ever checked.
WARNING: flowbits key 'file.cws' is set but not ever checked.
WARNING: flowbits key 'file.amf' is set but not ever checked.
WARNING: flowbits key 'file.rdp' is set but not ever checked.
WARNING: flowbits key 'ET.DROPIP' is set but not ever checked.
WARNING: flowbits key 'file.m4v' is set but not ever checked.
WARNING: flowbits key 'ET.HTTP.at.SSL' is set but not ever checked.
WARNING: flowbits key 'file.oless.v4' is set but not ever checked.
WARNING: flowbits key 'file.maki' is set but not ever checked.
WARNING: flowbits key 'file.ram' is set but not ever checked.
WARNING: flowbits key 'ET.iTunes.vuln' is set but not ever checked.
WARNING: flowbits key 'vnc.handshake.client' is set but not ever checked.
WARNING: flowbits key 'file.pkp' is set but not ever checked.
WARNING: flowbits key 'file.dat' is set but not ever checked.
WARNING: flowbits key 'file.plf' is set but not ever checked.
WARNING: flowbits key 'file.search-ms' is set but not ever checked.
WARNING: flowbits key 'file.ht3' is set but not ever checked.
WARNING: flowbits key 'file.3gp' is set but not ever checked.
WARNING: flowbits key 'ET.BotccIP' is set but not ever checked.
WARNING: flowbits key 'file.mht' is set but not ever checked.
WARNING: flowbits key 'file.plp' is set but not ever checked.
WARNING: flowbits key 'file.nab' is set but not ever checked.
WARNING: flowbits key 'file.rpt' is set but not ever checked.
WARNING: flowbits key 'file.cyb' is set but not ever checked.
WARNING: flowbits key 'file.bak' is set but not ever checked.
WARNING: flowbits key 'file.rmp' is set but not ever checked.
WARNING: flowbits key 'ET.Evil' is set but not ever checked.
WARNING: flowbits key 'file.addin' is set but not ever checked.
WARNING: flowbits key 'waprox.init' is set but not ever checked.
WARNING: flowbits key 'file.m4p' is set but not ever checked.
WARNING: flowbits key 'file.wma' is set but not ever checked.
WARNING: flowbits key 'ET.http.rtf.download' is set but not ever checked.
WARNING: flowbits key 'file.application' is set but not ever checked.
WARNING: flowbits key 'file.skm' is set but not ever checked.
WARNING: flowbits key 'file.csv' is set but not ever checked.
WARNING: flowbits key 'file.k3g' is set but not ever checked.
WARNING: flowbits key 'file.aiff' is set but not ever checked.
WARNING: flowbits key 'file.m4a' is set but not ever checked.
WARNING: flowbits key 'file.dvr-ms' is set but not ever checked.
WARNING: flowbits key 'file.wps' is set but not ever checked.
WARNING: flowbits key 'recordtype' is set but not ever checked.
WARNING: flowbits key 'ET.TorIP' is set but not ever checked.
WARNING: flowbits key 'file.wmp_playlist' is set but not ever checked.
WARNING: flowbits key 'file.cov' is set but not ever checked.
WARNING: flowbits key 'ET.CompIP' is set but not ever checked.
WARNING: flowbits key 'file.rp' is set but not ever checked.
WARNING: flowbits key 'file.qt' is set but not ever checked.
WARNING: flowbits key 'file.docx' is set but not ever checked.
WARNING: flowbits key 'ET.DshieldIP' is set but not ever checked.
WARNING: flowbits key 'ET.RBN' is set but not ever checked.
WARNING: flowbits key 'file.rt' is set but not ever checked.
WARNING: flowbits key 'file.vqf' is set but not ever checked.
WARNING: flowbits key 'file.mkv' is set but not ever checked.
WARNING: flowbits key 'file.mime' is set but not ever checked.
WARNING: flowbits key 'file.mov' is set but not ever checked.
WARNING: flowbits key 'file.winampskin' is set but not ever checked.
WARNING: flowbits key 'file.3g2' is set but not ever checked.
WARNING: flowbits key 'file.oless.v3' is set but not ever checked.
WARNING: flowbits key 'file.dbp' is set but not ever checked.
WARNING: flowbits key 'file.msproducer' is set but not ever checked.
WARNING: flowbits key 'file.caff' is set but not ever checked.
WARNING: flowbits key 'file.m4r' is set but not ever checked.
WARNING: flowbits key 'file.rtx' is set but not ever checked.
WARNING: flowbits key 'file.ogg' is set but not ever checked.
WARNING: flowbits key 'file.pecompact' is set but not ever checked.
WARNING: flowbits key 'file.m4b' is set but not ever checked.
WARNING: flowbits key 'file.wk4' is set but not ever checked.
WARNING: flowbits key 'file.job' is set but not ever checked.
WARNING: flowbits key 'file.autodesk_ma' is set but not ever checked.
WARNING: flowbits key 'file.daz_ds' is set but not ever checked.
WARNING: flowbits key 'file.sln' is set but not ever checked.
WARNING: flowbits key 'file.cur' is set but not ever checked.
WARNING: flowbits key 'file.jar.agent_helper' is set but not ever checked.
520 out of 1024 flowbits in use.


There is 100% cpu usage on one of the sockets but it's not progressing 
any further?

The rules directory has these files in it:


# ls /etc/snort/rules
ET-emerging-activex.rules VRT-dos.rules 
VRT-web-frontpage.rules              phishing-spam.rules
ET-emerging-attack_response.rules VRT-exploit-kit.rules 
VRT-x11.rules                        policy-multimedia.rules
ET-emerging-botcc.rules VRT-exploit.rules 
app-detect.rules                     policy-other.rules
ET-emerging-chat.rules VRT-file-executable.rules 
attack-responses.rules               policy-social.rules
ET-emerging-ciarmy.rules VRT-file-flash.rules 
backdoor.rules                       policy-spam.rules
ET-emerging-compromised.rules VRT-file-identify.rules 
bad-traffic.rules                    policy.rules
ET-emerging-current_events.rules VRT-file-image.rules 
black_list.rules                     pop2.rules
ET-emerging-deleted.rules VRT-file-multimedia.rules 
blacklist.rules                      pop3.rules
ET-emerging-dns.rules VRT-file-office.rules 
botnet-cnc.rules                     protocol-finger.rules
ET-emerging-dos.rules VRT-file-other.rules 
browser-chrome.rules                 protocol-ftp.rules
ET-emerging-drop.rules VRT-file-pdf.rules 
browser-firefox.rules                protocol-icmp.rules
ET-emerging-dshield.rules VRT-indicator-compromise.rules 
browser-ie.rules                     protocol-imap.rules
ET-emerging-exploit.rules VRT-indicator-obfuscation.rules 
browser-other.rules                  protocol-pop.rules
ET-emerging-ftp.rules VRT-indicator-shellcode.rules 
browser-plugins.rules                protocol-services.rules
ET-emerging-games.rules VRT-malware-backdoor.rules 
browser-webkit.rules                 protocol-voip.rules
ET-emerging-icmp.rules VRT-malware-cnc.rules 
chat.rules                           pua-adware.rules
ET-emerging-icmp_info.rules VRT-malware-other.rules 
content-replace.rules                pua-other.rules
ET-emerging-imap.rules VRT-malware-tools.rules 
ddos.rules                           pua-p2p.rules
ET-emerging-inappropriate.rules VRT-netbios.rules 
deleted.rules                        pua-toolbars.rules
ET-emerging-info.rules VRT-nntp.rules 
dns.rules                            rpc.rules
ET-emerging-malware.rules VRT-os-linux.rules 
dos.rules                            rservices.rules
ET-emerging-misc.rules VRT-os-other.rules 
experimental.rules                   rule.set
ET-emerging-mobile_malware.rules VRT-os-solaris.rules 
exploit-kit.rules                    scada.rules
ET-emerging-netbios.rules VRT-os-windows.rules 
exploit.rules                        scan.rules
ET-emerging-p2p.rules VRT-policy-multimedia.rules 
file-executable.rules                server-apache.rules
ET-emerging-policy.rules VRT-policy-other.rules 
file-flash.rules                     server-iis.rules
ET-emerging-pop3.rules VRT-policy-social.rules 
file-identify.rules                  server-mail.rules
ET-emerging-rbn-malvertisers.rules VRT-policy-spam.rules 
file-image.rules                     server-mssql.rules
ET-emerging-rbn.rules VRT-preprocessor.rules 
file-multimedia.rules                server-mysql.rules
ET-emerging-rpc.rules VRT-protocol-finger.rules 
file-office.rules                    server-oracle.rules
ET-emerging-scada.rules VRT-protocol-ftp.rules 
file-other.rules                     server-other.rules
ET-emerging-scan.rules VRT-protocol-icmp.rules 
file-pdf.rules                       server-webapp.rules
ET-emerging-shellcode.rules VRT-protocol-imap.rules 
finger.rules                         shellcode.rules
ET-emerging-smtp.rules VRT-protocol-pop.rules 
ftp.rules                            smtp.rules
ET-emerging-snmp.rules VRT-protocol-services.rules 
icmp-info.rules                      snmp.rules
ET-emerging-sql.rules VRT-protocol-voip.rules 
icmp.rules                           snort.rules
ET-emerging-telnet.rules VRT-pua-adware.rules 
imap.rules                           so_rules.rules
ET-emerging-tftp.rules VRT-pua-other.rules 
indicator-compromise.rules           specific-threats.rules
ET-emerging-tor.rules VRT-pua-p2p.rules 
indicator-obfuscation.rules          spyware-put.rules
ET-emerging-trojan.rules VRT-pua-toolbars.rules 
indicator-shellcode.rules            sql.rules
ET-emerging-user_agents.rules VRT-rpc.rules 
info.rules                           telnet.rules
ET-emerging-voip.rules VRT-scada.rules 
local.rules                          tftp.rules
ET-emerging-web_client.rules VRT-scan.rules 
malware-backdoor.rules               virus.rules
ET-emerging-web_server.rules VRT-sensitive-data.rules 
malware-cnc.rules                    voip.rules
ET-emerging-web_specific_apps.rules VRT-server-apache.rules 
malware-other.rules                  web-activex.rules
ET-emerging-worm.rules VRT-server-iis.rules 
malware-tools.rules                  web-attacks.rules
VRT-app-detect.rules VRT-server-mail.rules 
misc.rules                           web-cgi.rules
VRT-blacklist.rules VRT-server-mssql.rules 
multimedia.rules                     web-client.rules
VRT-botnet-cnc.rules VRT-server-mysql.rules 
mysql.rules                          web-coldfusion.rules
VRT-browser-chrome.rules VRT-server-oracle.rules 
netbios.rules                        web-frontpage.rules
VRT-browser-firefox.rules VRT-server-other.rules 
nntp.rules                           web-iis.rules
VRT-browser-ie.rules VRT-server-webapp.rules 
oracle.rules                         web-misc.rules
VRT-browser-other.rules VRT-snmp.rules 
os-linux.rules                       web-php.rules
VRT-browser-plugins.rules VRT-specific-threats.rules 
os-other.rules                       white_list.rules
VRT-browser-webkit.rules VRT-sql.rules 
os-solaris.rules                     x11.rules
VRT-content-replace.rules VRT-telnet.rules                     
os-windows.rules
VRT-decoder.rules VRT-tftp.rules                       other-ids.rules
VRT-dns.rules VRT-web-client.rules                 p2p.rules


Even before all the extra rules were included a few tests didn't come up 
with any logging either so I'm still in the same place and totally lost???


Regards,


Kaya

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:

Re: MySQL support for Snort 2.9.4, (continued)
- - - Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
    - Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
    - Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
    - Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
    - Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
    - Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
    - Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
    - Re: MySQL support for Snort 2.9.4 Russ Combs (Dec 12)
    - Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
    - Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 12)
    - Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
    - Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
    - Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
    - Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
    - Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
    - Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
    - Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
    - Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
    - Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
    - Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
    - Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
(Thread continues...)