[Snort-users] Snor logging to mysql with no ip on monitored interface

Michael Steele michaels at ...9077...
Wed Dec 31 09:40:00 EST 2003


You can do a tcpdump on the database port and see any alerts that are being
passed to it, while running a scan of the system using some vulnerability
scanner.

Kindest regards,

The WINSNORT.com Management Team
--
Pick up your FREE Windows or UNIX Snort installation guides      
mailto:support at ...9077...
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org



  _____  

From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Shaffer, Paul
D
Sent: Wednesday, December 31, 2003 8:07 AM
To: snort at ...10813...; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored
interface

 

Uh, I think maybe you're heading the wrong way here.  The lack of an IP
address on your sensor interface has absolutely nothing to do with database
output.  I have an almost identical setup running (2.1, though), no probs.
Maybe an obvious question, but how do you know_for_sure Snort is not
outputting to the database?  Have you tested it by invoking some known
alerts from an external source?  Sorry, had to ask...

 

Paul

 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of snort
Sent: Wednesday, December 31, 2003 8:51 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snor logging to mysql with no ip on monitored
interface

1)       I am making the assumption that logging to MySQL is not possible if
the interface I am monitoring does not have an IP. Can someone confirm that?

2)       Since I am able to log to a flat file, and I would like to use
ACID, can someone point me to a flat file to MySQL script that I can use to
populate MySQL with a cron job?

 

 

I have Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) under windows with acid.
Everything is working fine on interface 10.0.0.1. Logging to the db works
fine, etc. I put in a second NIC and set it up under XP with no IP address.
Ethereal can sniff packets on the interface just fine. I have snort
configured for the second interface, but it cannot log to the mysql
database. I added an output plugin for file and was able to see alerts from
it. What am I doing wrong?

 

 

Cable modem-----------dumb hub---------linksys fw---------10.0.0.1 interface
1

                                     |_______________________0.0.0.0
interface 2

 

 

Snort output:

 

D:\EagleX\snort\bin>D:\EagleX\Snort\bin\snort.exe -c
"D:\EagleX\Snort\etc\snort.conf" -l "D:\EagleX\Snort\logs" -i 2 -h 192.1

0/24 -X -z

Running in IDS mode

Log directory = D:\EagleX\Snort\logs

 

Initializing Network Interface
\Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}

 

        --== Initializing Snort ==--

Initializing Output Plugins!

Decoding Ethernet on interface
\Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file D:\EagleX\Snort\etc\snort.conf

 

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains...

No arguments to frag2 directive, setting defaults to:

    Fragment timeout: 60 seconds

    Fragment memory cap: 4194304 bytes

    Fragment min_ttl:   0

    Fragment ttl_limit: 5

    Fragment Problems: 0

    Self preservation threshold: 500

    Self preservation period: 90

    Suspend threshold: 1000

    Suspend period: 30

Stream4 config:

    Stateful inspection: ACTIVE

    Session statistics: INACTIVE

    Session timeout: 30 seconds

    Session memory cap: 8388608 bytes

    State alerts: INACTIVE

    Evasion alerts: INACTIVE

    Scan alerts: ACTIVE

    Log Flushed Streams: INACTIVE

    MinTTL: 1

    TTL Limit: 5

    Async Link: 0

    State Protection: 0

    Self preservation threshold: 50

    Self preservation period: 90

    Suspend threshold: 200

    Suspend period: 30

Stream4_reassemble config:

    Server reassembly: ACTIVE

    Client reassembly: ACTIVE

    Reassembler alerts: ACTIVE

    Ports: 21 23 25 53 80 110 111 143 513 1433

    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433

http_decode arguments:

    Unicode decoding

    IIS alternate Unicode decoding

    IIS double encoding vuln

    Flip backslash to slash

    Include additional whitespace separators

    Ports to decode http on: 80 8877 8888

rpc_decode arguments:

    Ports to decode RPC on: 111 32771

    alert_fragments: INACTIVE

    alert_large_fragments: ACTIVE

    alert_incomplete: ACTIVE

    alert_multiple_requests: ACTIVE

telnet_decode arguments:

    Ports to decode telnet on: 21 23 25 119

Using LOCAL time

Conversation Config:

   KeepStats: 0

   Conv Count: 65535

   Timeout   : 60

   Alert Odd?: 1

   Allowed IP Protocols:  All

 

database: compiled support for ( mysql odbc )

database: configured to use Mysql

database:          host = localhost

database:          port = 7788

database: database name = snort

database:          user = snort

database: password is set

database:   sensor name = inet

database: detail level  = full

database:     sensor id = 3

database: schema version = 106

database: using the "alert" facility

1581 Snort rules read...

1581 Option Chains linked into 197 Chain Headers

0 Dynamic rules

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

Rule application order: ->activation->dynamic->alert->pass->log

 

        --== Initialization Complete ==--

 

-*> Snort! <*-

Version 2.0.1-ODBC-MySQL-WIN32 (Build 88)

By Martin Roesch (roesch at ...1935..., www.snort.org)

1.7-WIN32 Port By Michael Davis (mike at ...92...,
www.datanerds.net/~mike)

1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid at ...3029...)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031231/f7f1e037/attachment.html>


More information about the Snort-users mailing list