[Snort-users] Snort, php, MySQL and acid showing no activity

McClure Gammon gammon.mcclure at ...4990...
Fri Aug 23 13:05:04 EDT 2002


Joshua,
Not to be asking stupid questions, but are you in a switched environment?  (Keep in mind some "hubs" are really switches.)  If so, you'll need to span or mirror ports of interest to the port where snort is plugged in.  Easiest way to debug this is to start simple - can you get alerts to the console (other than broadcast) running just snort -dv if all you see are broadcasts, you're switched.  If you see other stuff, we can get more complicated.

Gammon

-----Original Message-----
From: Joshua Rogers [mailto:josh at ...6676...]
Sent: Friday, August 23, 2002 2:50 PM
To: Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort, php, MySQL and acid showing no
activity


Ok, I ran 'nmap -v -sS -O <server ip>' on the snort machine and on another
server. Both tests did not show up in the acid console and nothing in the
MySQL db. There is also nothing showing up in the portscan log file. I am
guessing I missed something in the setup.

Thanks,
Joshua Rogers
Webmaster
InterPlanetary Web Services
303-940-2597
IBO# 60092

----- Original Message -----
From: "Demetri Mouratis" <dmourati at ...3877...>
To: "Randy Bey" <Randy.Bey at ...6683...>
Cc: <Snort-users at lists.sourceforge.net>
Sent: Friday, August 23, 2002 11:33 AM
Subject: RE: [Snort-users] Snort, php, MySQL and acid showing no activity


> Nmap is a easier and faster in that it doesn't require client/server
> setup:
>
> http://www.insecure.org
>
> HTH
> On Fri, 23 Aug 2002, Randy Bey wrote:
>
> > Oh yes, you need to do something to trigger a rule. I usually just run a
> > quick Nessus(tm) scan; that does it for me.
> >
> > If there are faster, easier ways to trip a rule, please someone let me
> > know.
> >
> > Randy Bey
> > RiverNorth Systems
> > 7300 W 147th St Suite 300
> > Apple Valley, MN 55124
> > http://www.rivernorthsys.com
> >
> >
> > -----Original Message-----
> > From: Joshua Rogers [mailto:josh at ...6676...]
> > Sent: Friday, August 23, 2002 10:24 AM
> > To: Snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Snort, php, MySQL and acid showing no
> > activity
> >
> > I just tried: /usr/local/bin/snort -c /etc/snort/snort.conf -D from the
> > command line. It created an additional sensor, but still no activity in
> > the
> > db. Do I need to create any alerts? It seems that I can not create a
> > useful
> > alert until I have a traffic pattern to base it on. Am I correct in this
> > assumption?
> >
> > Thanks,
> > Joshua Rogers
> > Webmaster
> > InterPlanetary Web Services
> > 303-940-2597
> > IBO# 60092
> > ----- Original Message -----
> > From: "Randy Bey" <Randy.Bey at ...6683...>
> > To: "Joshua Rogers" <josh at ...6676...>; <Snort-users at lists.sourceforge.net>
> > Sent: Friday, August 23, 2002 9:31 AM
> > Subject: RE: [Snort-users] Snort, php, MySQL and acid showing no
> > activity
> >
> >
> > Have you made sure you aren't using any -A switches on your snort
> > command line? It should be as simple as:
> > /usr/local/bin/snort -c /etc/snort/snort.conf -D
> >
> >
> > Randy Bey
> > RiverNorth Systems
> > 7300 W 147th St Suite 300
> > Apple Valley, MN 55124
> > http://www.rivernorthsys.com
> >
> >
> > -----Original Message-----
> > From: Joshua Rogers [mailto:josh at ...6676...]
> > Sent: Thursday, August 22, 2002 4:28 PM
> > To: Snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Snort, php, MySQL and acid showing no activity
> >
> > Hi,
> > I do not know what information will be helpful in showing me how to
> > track
> > down a problem on my system, but here goes. I am running:
> > Red Hat Linux 7.3 with the latest updates
> > PHP 4.2.1, register globals=on
> > Apache 1.3.26
> > MySQL 3.23.39
> > GD 1.6.2
> > The latest acid
> > BCMath
> >
> > I followed the great doc on setting up snort-rh7-mysql, from the snort
> > website. I had to make a few changes since I am running 7.3 and did not
> > have
> > all of the drive space shown in the doc. Somewhere along the line I
> > think I
> > missed something. Snort and MySQL seems to be running, the acid
> > interface
> > comes up fine with no errors but there is no data that shows up in the
> > database or in the acid interface.
> > What information would you need to help point me in the right direction
> > to
> > get snort recording data?
> >
> > Thanks,
> > Joshua Rogers
> > Webmaster
> > InterPlanetary Web Services
> > 303-940-2597
> > IBO# 60092
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: OSDN - Tired of that same old
> > cell phone?  Get a new here for FREE!
> > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: OSDN - Tired of that same old
> > cell phone?  Get a new here for FREE!
> > https://www.inphonic.com/r.asp?r=urceforge1&refcode1=3390
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=ort-users
> >
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: OSDN - Tired of that same old
> > cell phone?  Get a new here for FREE!
> > https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> > _________________________
>
> ---------------------------------------------------------------------
> Demetri Mouratis
> dmourati at ...3878...
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list