[Snort-users] Snort, php, MySQL and acid showing no activity

Demetri Mouratis dmourati at ...3877...
Fri Aug 23 12:57:40 EDT 2002


Hmm, that's not good.  Nmap should set off all kinds of red flags.
Sounds to me like snort is not running.  Some things to check:

1.	Verify snort is running and has the correct command line options.
	Here's mine:
	/usr/local/bin/snort -b -l /var/log/snort -d -D -i eth0 -c \
	/etc/snort/snort.conf
2.	Verify that MySQL is up and running.  I use postgreSQL but I'm
	sure you can give some init script a status option to check MySQL.
3.	Verify that all the user/password info is correct for the DB.  The
	contrib directory has scripts to do this for you
4.	I've noticed that snort bombs on me if the database wasn't started
	before snort starts.  Double check your init scripts so you won't
	run into this gotcha later.

HTH
 On Fri, 23 Aug 2002, Joshua Rogers wrote:

> Ok, I ran 'nmap -v -sS -O <server ip>' on the snort machine and on another
> server. Both tests did not show up in the acid console and nothing in the
> MySQL db. There is also nothing showing up in the portscan log file. I am
> guessing I missed something in the setup.
>
> Thanks,
> Joshua Rogers
> Webmaster
> InterPlanetary Web Services
> 303-940-2597
> IBO# 60092
>
> ----- Original Message -----
> From: "Demetri Mouratis" <dmourati at ...3877...>
> To: "Randy Bey" <Randy.Bey at ...6683...>
> Cc: <Snort-users at lists.sourceforge.net>
> Sent: Friday, August 23, 2002 11:33 AM
> Subject: RE: [Snort-users] Snort, php, MySQL and acid showing no activity
>
>
> > Nmap is a easier and faster in that it doesn't require client/server
> > setup:
> >
> > http://www.insecure.org
> >
> > HTH
> > On Fri, 23 Aug 2002, Randy Bey wrote:
> >
> > > Oh yes, you need to do something to trigger a rule. I usually just run a
> > > quick Nessus(tm) scan; that does it for me.
> > >
> > > If there are faster, easier ways to trip a rule, please someone let me
> > > know.
> > >
> > > Randy Bey
> > > RiverNorth Systems
> > > 7300 W 147th St Suite 300
> > > Apple Valley, MN 55124
> > > http://www.rivernorthsys.com
> > >
> > >
> > > -----Original Message-----
> > > From: Joshua Rogers [mailto:josh at ...6676...]
> > > Sent: Friday, August 23, 2002 10:24 AM
> > > To: Snort-users at lists.sourceforge.net
> > > Subject: Re: [Snort-users] Snort, php, MySQL and acid showing no
> > > activity
> > >
> > > I just tried: /usr/local/bin/snort -c /etc/snort/snort.conf -D from the
> > > command line. It created an additional sensor, but still no activity in
> > > the
> > > db. Do I need to create any alerts? It seems that I can not create a
> > > useful
> > > alert until I have a traffic pattern to base it on. Am I correct in this
> > > assumption?
> > >
> > > Thanks,
> > > Joshua Rogers
> > > Webmaster
> > > InterPlanetary Web Services
> > > 303-940-2597
> > > IBO# 60092
> > > ----- Original Message -----
> > > From: "Randy Bey" <Randy.Bey at ...6683...>
> > > To: "Joshua Rogers" <josh at ...6676...>; <Snort-users at lists.sourceforge.net>
> > > Sent: Friday, August 23, 2002 9:31 AM
> > > Subject: RE: [Snort-users] Snort, php, MySQL and acid showing no
> > > activity
> > >
> > >
> > > Have you made sure you aren't using any -A switches on your snort
> > > command line? It should be as simple as:
> > > /usr/local/bin/snort -c /etc/snort/snort.conf -D
> > >
> > >
> > > Randy Bey
> > > RiverNorth Systems
> > > 7300 W 147th St Suite 300
> > > Apple Valley, MN 55124
> > > http://www.rivernorthsys.com
> > >
> > >
> > > -----Original Message-----
> > > From: Joshua Rogers [mailto:josh at ...6676...]
> > > Sent: Thursday, August 22, 2002 4:28 PM
> > > To: Snort-users at lists.sourceforge.net
> > > Subject: [Snort-users] Snort, php, MySQL and acid showing no activity
> > >
> > > Hi,
> > > I do not know what information will be helpful in showing me how to
> > > track
> > > down a problem on my system, but here goes. I am running:
> > > Red Hat Linux 7.3 with the latest updates
> > > PHP 4.2.1, register globals=on
> > > Apache 1.3.26
> > > MySQL 3.23.39
> > > GD 1.6.2
> > > The latest acid
> > > BCMath
> > >
> > > I followed the great doc on setting up snort-rh7-mysql, from the snort
> > > website. I had to make a few changes since I am running 7.3 and did not
> > > have
> > > all of the drive space shown in the doc. Somewhere along the line I
> > > think I
> > > missed something. Snort and MySQL seems to be running, the acid
> > > interface
> > > comes up fine with no errors but there is no data that shows up in the
> > > database or in the acid interface.
> > > What information would you need to help point me in the right direction
> > > to
> > > get snort recording data?
> > >
> > > Thanks,
> > > Joshua Rogers
> > > Webmaster
> > > InterPlanetary Web Services
> > > 303-940-2597
> > > IBO# 60092
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by: OSDN - Tired of that same old
> > > cell phone?  Get a new here for FREE!
> > > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by: OSDN - Tired of that same old
> > > cell phone?  Get a new here for FREE!
> > > https://www.inphonic.com/r.asp?r=urceforge1&refcode1=3390
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=ort-users
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by: OSDN - Tired of that same old
> > > cell phone?  Get a new here for FREE!
> > > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > > _________________________
> >
> > ---------------------------------------------------------------------
> > Demetri Mouratis
> > dmourati at ...3878...
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: OSDN - Tired of that same old
> > cell phone?  Get a new here for FREE!
> > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

---------------------------------------------------------------------
Demetri Mouratis
dmourati at ...3878...





More information about the Snort-users mailing list