[Snort-users] snort won't log anything in mysql

alexus ml at ...1718...
Tue Apr 10 17:41:24 EDT 2001


i got my rules set from http://www.snort.org/files/snortrules.tar.gz

I haven't change 'em a bit.. so i assume they allright..

if you want i can send you a copy..


----- Original Message -----
From: "Mark Buchanan" <markbuchanan at ...530...>
To: "alexus" <ml at ...1718...>
Cc: <shawn at ...1184...>; "Roman Danyliw" <roman at ...438...>;
<joey at ...47...>; <snort-users at lists.sourceforge.net>
Sent: Tuesday, April 10, 2001 1:37 PM
Subject: Re: [Snort-users] snort won't log anything in mysql


>   Ok, I'm gonna just take a stab at this, cause we had somthing like
> this happen just a couple weeks ago...
>   Have you checked all your rules to make sure that your variables are
> all defined...  We had one variable that had two characters reversed,
> and for some reason, we seemed to keep looking at the DB stuff...  Only
> until someone did a sanity check on the rules file did we find it...
> (for some reason snort didn't report those errors verbosely)...
>   Just my 2 cents...
> Mark
>
> alexus wrote:
> >
> > this is ldd output for you
> >
> > bash-2.04$ ldd /usr/local/bin/snort
> > /usr/local/bin/snort:
> >         libpcap.so.2 => /usr/lib/libpcap.so.2 (0x28102000)
> >         libm.so.2 => /usr/lib/libm.so.2 (0x2811b000)
> >         libmysqlclient.so.10 =>
> > /usr/local/mysql/lib/mysql/libmysqlclient.so.10 (0x28136000)
> >         libc.so.4 => /usr/lib/libc.so.4 (0x28151000)
> >         libz.so.2 => /usr/lib/libz.so.2 (0x281e6000)
> >         libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x281f3000)
> > bash-2.04$
> >
> > heh ok
> >
> > i'm goin try snort-daily.tar.gz now..
> > ----- Original Message -----
> > From: "shawn . moyer" <shawn at ...1184...>
> > To: "alexus" <ml at ...1718...>
> > Cc: "Roman Danyliw" <roman at ...438...>; <joey at ...47...>;
> > <snort-users at lists.sourceforge.net>
> > Sent: Tuesday, April 10, 2001 1:21 AM
> > Subject: Re: [Snort-users] snort won't log anything in mysql
> >
> > >
> > > Prolly on snort.org as well, but I usually get it from the Sourceforge
> > > page:
> > >
> > > http://snort.sourceforge.net/snort-daily.tar.gz
> > >
> > > Okay, one more: can you paste the output of "ldd /your/path/to/snort"
?
> > > Just curious.
> > >
> > > Man, when you *do* get this working, please post to the list. This has
> > > got to be the longest installation-type support thread I've seen.
> > >
> > >
> > >
> > > --shawn
> > >
> > >
> > > alexus wrote:
> > > >
> > > > i'm wondering how exactly you detect that my version of
spo_database.c
> > is
> > > > old..
> > > >
> > > > and another question how can i update my spo_database.c ?
> > > >
> > > > although i got snort 1.7
> > > >
> > > > i dont see any newer snort version on their website
> > > >
> > > > ----- Original Message -----
> > > > From: "Roman Danyliw" <roman at ...438...>
> > > > To: "alexus" <ml at ...1718...>; "shawn . moyer"
> > <shawn at ...1184...>;
> > > > <joey at ...47...>
> > > > Cc: <snort-users at lists.sourceforge.net>
> > > > Sent: Monday, April 09, 2001 11:43 PM
> > > > Subject: RE: [Snort-users] snort won't log anything in mysql
> > > >
> > > > > The database plug-in (spo_database.c) in the latest version of
Snort
> > from
> > > > > CVS
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: alexus [mailto:ml at ...1718...]
> > > > > > Sent: Monday, April 09, 2001 10:19 PM
> > > > > > To: Roman Danyliw; shawn . moyer; joey at ...47...
> > > > > > Cc: snort-users at lists.sourceforge.net
> > > > > > Subject: Re: [Snort-users] snort won't log anything in mysql
> > > > > >
> > > > > >
> > > > > > i run snort 1.7
> > > > > > i run acid 0.9.6b7
> > > > > > i run adodb 095
> > > > > > i run mysql 3.23.36
> > > > > >
> > > > > > all latest software...
> > > > > >
> > > > > > which DB plug-in are we talking about?
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Roman Danyliw" <roman at ...438...>
> > > > > > To: "alexus" <ml at ...1718...>; "shawn . moyer"
> > > > <shawn at ...1184...>;
> > > > > > <joey at ...47...>
> > > > > > Cc: <snort-users at lists.sourceforge.net>
> > > > > > Sent: Monday, April 09, 2001 8:27 PM
> > > > > > Subject: RE: [Snort-users] snort won't log anything in mysql
> > > > > >
> > > > > >
> > > > > > > From your snort output, it looks like you are not running the
> > > > > > latest code
> > > > > > in
> > > > > > > CVS (i.e.: not the latest DB plug-in code).  Check the latest
copy
> > and
> > > > > > then
> > > > > > > try Joe's test case.
> > > > > > >
> > > > > > > Roman
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: alexus [mailto:ml at ...1718...]
> > > > > > > > Sent: Monday, April 09, 2001 4:57 PM
> > > > > > > > To: shawn . moyer
> > > > > > > > Cc: snort-users at lists.sourceforge.net; roman at ...438...
> > > > > > > > Subject: Re: [Snort-users] snort won't log anything in mysql
> > > > > > > >
> > > > > > > >
> > > > > > > > yes, I went to that website and did all those steps..
> > > > > > > >
> > > > > > > > mysql> select * from user where user='alexus';
> > > > > > > >
> > +-----------+--------+------------------+-------------+-----------
> > > > > > > > --+-------
> > > > > > >
> > > ------+-------------+-------------+-----------+-------------+-----
> > > > > > > > ----------
> > > > > > > >
> > +--------------+-----------+------------+-----------------+-------
> > > > > > > > -----+----
> > > > > > > > --------+
> > > > > > > > | Host      | User   | Password         | Select_priv |
> > Insert_priv
> > > > |
> > > > > > > > Update_priv | Delete_priv | Create_priv | Drop_priv |
> > Reload_priv |
> > > > > > > > Shutdown_priv | Process_priv | File_priv | Grant_priv |
> > > > > > References_priv
> > > > > > |
> > > > > > > > Index_priv | Alter_priv |
> > > > > > > >
> > +-----------+--------+------------------+-------------+-----------
> > > > > > > > --+-------
> > > > > > >
> > > ------+-------------+-------------+-----------+-------------+-----
> > > > > > > > ----------
> > > > > > > >
> > +--------------+-----------+------------+-----------------+-------
> > > > > > > > -----+----
> > > > > > > > --------+
> > > > > > > > | localhost | alexus | 34484ed463a66850 | Y           | Y
> > > > > >       | N
> > > > > > > > | Y           | N           | N         | N           | N
> > > > > >         |
> > > > > > N
> > > > > > > > | N         | N          | N               | N          | N
> > > > |
> > > > > > > >
> > +-----------+--------+------------------+-------------+-----------
> > > > > > > > --+-------
> > > > > > >
> > > ------+-------------+-------------+-----------+-------------+-----
> > > > > > > > ----------
> > > > > > > >
> > +--------------+-----------+------------+-----------------+-------
> > > > > > > > -----+----
> > > > > > > > --------+
> > > > > > > > 1 row in set (0.00 sec)
> > > > > > > >
> > > > > > > > mysql>
> > > > > > > >
> > > > > > > > here is snort without -D
> > > > > > > >
> > > > > > > > su-2.04# snort -c snort.conf
> > > > > > > >
> > > > > > > >         --== Initializing Snort ==--
> > > > > > > >
> > > > > > > > Initializing Network Interface fxp0
> > > > > > > > Decoding Ethernet on interface fxp0
> > > > > > > > Initializing Preprocessors!
> > > > > > > > Initializing Plug-ins!
> > > > > > > > Initializating Output Plugins!
> > > > > > > >
> > > > > > > > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > > > > > > > Initializing rule chains...
> > > > > > > > database: compiled support for ( mysql )
> > > > > > > > database: configured to use mysql
> > > > > > > > database:          user = xxx
> > > > > > > > database: database name = xxx
> > > > > > > > database:          host = xxx
> > > > > > > > database: password is set
> > > > > > > > database:   sensor name = xxx.xx.xxx.xx
> > > > > > > > database:     sensor id = 1
> > > > > > > > database: using the "log" facility
> > > > > > > > 845 Snort rules read...
> > > > > > > > 845 Option Chains linked into 130 Chain Headers
> > > > > > > > 0 Dynamic rules
> > > > > > > > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > > > > > > >
> > > > > > > > Rule application
> > > > > > order: ->activation->dynamic->alert->log->pass->redalert
> > > > > > > >
> > > > > > > >         --== Initialization Complete ==--
> > > > > > > >
> > > > > > > > -*> Snort! <*-
> > > > > > > > Version 1.7
> > > > > > > > By Martin Roesch (roesch at ...66..., www.snort.org)
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "shawn . moyer" <shawn at ...1184...>
> > > > > > > > To: "alexus" <ml at ...1718...>
> > > > > > > > Cc: <snort-users at lists.sourceforge.net>; <roman at ...438...>
> > > > > > > > Sent: Monday, April 09, 2001 3:33 PM
> > > > > > > > Subject: Re: [Snort-users] snort won't log anything in mysql
> > > > > > > >
> > > > > > > >
> > > > > > > > > Have you followed all the docs to set the database up from
> > > > > > > > >
> > > > > > > > > http://www.incident.org/snortdb ?
> > > > > > > > >
> > > > > > > > > i.e. do you have a user in mysql that has create, insert,
and
> > > > select
> > > > > > > > > privileges, and have you ran the create_mysql script from
> > > > > > the contrib
> > > > > > > > > directory?
> > > > > > > > >
> > > > > > > > > Also, you might try running snort in the foreground
(without
> > > > the -D)
> > > > > > and
> > > > > > > > > see what messages you see.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --shawn
> > > > > > > > >
> > > > > > > > > alexus wrote:
> > > > > > > > > >
> > > > > > > > > > mysql> select * from event;
> > > > > > > > > > Empty set (0.00 sec)
> > > > > > > > > >
> > > > > > > > > > mysql>
> > > > > > > > > >
> > > > > > > > > > when I used to use -s i saw snort messages there... but
> > > > > > now no more
> > > > > > > > since i
> > > > > > > > > > remove -s
> > > > > > > > > >
> > > > > > > > > > ----- Original Message -----
> > > > > > > > > > From: <roman at ...438...>
> > > > > > > > > > To: "alexus" <ml at ...1718...>; "shawn . moyer"
> > > > > > > > <shawn at ...1184...>;
> > > > > > > > > > <snort-users at lists.sourceforge.net>
> > > > > > > > > > Sent: Monday, April 09, 2001 8:32 AM
> > > > > > > > > > Subject: Re: [Snort-users] SNORT WON'T LOG ANYTHING IN
MYSQL
> > > > > > > > > >
> > > > > > > > > > > There is indeed a verbose mode in ACID.  Set
$debug_mode=1
> > > > > > > > > > > in acid_conf.php.  However, I doubt this will help you
> > much if
> > > > > > > > > > > Snort is not logging to the database correctly.  Try
> > > > > > the following
> > > > > > > > > > > SQL from the mysql client:
> > > > > > > > > > >
> > > > > > > > > > > mysql> SELECT count(*) FROM event;
> > > > > > > > > > >
> > > > > > > > > > > If the count is 0, it is a safe bet that Snort is
> > > > misconfigured.
> > > > > > As
> > > > > > > > > > > a side note, are you seeing these alerts in syslog or
a
> > > > > > flat file?
> > > > > > > > > > >
> > > > > > > > > > > Roman
> > > > > > > > > > >
> > > > > > > > > > > > i've tryed -Dc..
> > > > > > > > > > > >
> > > > > > > > > > > > I still dont think it logs anything...
> > > > > > > > > > > >
> > > > > > > > > > > > is there any verbose mode for acid? i can see what's
> > goin
> > > > on?
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > ----- Original Message -----
> > > > > > > > > > > > From: "shawn . moyer" <shawn at ...1184...>
> > > > > > > > > > > > To: "alexus" <ml at ...1718...>
> > > > > > > > > > > > Cc: <snort-users at lists.sourceforge.net>
> > > > > > > > > > > > Sent: Monday, April 09, 2001 10:45 AM
> > > > > > > > > > > > Subject: Re: [Snort-users] SNORT WON'T LOG ANYTHING
IN
> > MYSQL
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > > alexus wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > snort -Dsc snort.conf
> > > > > > > > > > > > >
> > > > > > > > > > > > > < snort -Dsc snort.conf
> > > > > > > > > > > > > > snort -Dc snort.conf
> > > > > > > > > > > > >
> > > > > > > > > > > > > The -s tells it to log to syslog instead of what
you
> > > > specify
> > > > > > in
> > > > > > > > > > > > > snort.conf.
> > > > > > > > > > > > >
> > > > > > > > > > > > > You know when you start it and you get the message
> > that
> > > > says
> > > > > > > > "Command
> > > > > > > > > > > > > line options override plugin(s)!"? That's why.
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > p.s. CAPS = SHOUTING
> > > > > > > > > > > > >
> > > > > > > > > > > > > --shawn
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > >
> > > > > > > > > > > > > s h a w n   m o y e r
> > > > > > > > > > > > > shawn at ...1184...
> > > > > > > > > > > > >
> > > > > > > > > > > > > "Nuclear war would really set back cable."
> > > > > > > > > > > > >                      -- Ted Turner
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > _______________________________________________
> > > > > > > > > > > > Snort-users mailing list
> > > > > > > > > > > > Snort-users at lists.sourceforge.net
> > > > > > > > > > > > Go to this URL to change user options or
unsubscribe:
> > > > > > > > > > > >
http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > > > > > > Snort-users list archive:
> > > > > > > > > > > >
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > ---------------------------------------------
> > > > > > > > > > > This message was sent using Voicenet WebMail.
> > > > > > > > > > >       http://www.voicenet.com/webmail/
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Snort-users mailing list
> > > > > > > > > > Snort-users at lists.sourceforge.net
> > > > > > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > > > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > > > > Snort-users list archive:
> > > > > > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > >
> > > > > > > > > s h a w n   m o y e r
> > > > > > > > > shawn at ...1184...
> > > > > > > > >
> > > > > > > > > "Nuclear war would really set back cable."
> > > > > > > > >                      -- Ted Turner
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > --
> > >
> > > s h a w n   m o y e r
> > > shawn at ...1184...
> > >
> > > "Nuclear war would really set back cable."
> > >                              -- Ted Turner
> > >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list