[Snort-users] Snor logging to mysql with no ip on monitored i nterface

CMartin at ...9696... CMartin at ...9696...
Wed Dec 31 10:58:01 EST 2003



I think I found your problem.  I'm running snort on linux, but I think the
command line is the same.  There are times when I would like to log to a
directory and not log to a database.  I still make a reference to the conf
file that has all my database login information but then in the command line
I specify it to log to a directory using the -l (log) switch, as you do in
your command line.  In my experience when you use the -l switch in the
command line, it overwrites all logging options specified in your conf file.
So try removing the -l switch and see if that helps.  If you want to log to
both the directory and the database, specify that in the conf file.







-----Original Message-----
From: Michael Steele [mailto:michaels at ...9077...] 
Sent: Wednesday, December 31, 2003 10:38 AM
To: 'Snort Users List'
Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored


You can do a tcpdump on the database port and see any alerts that are being
passed to it, while running a scan of the system using some vulnerability

Kindest regards,

The WINSNORT.com Management Team
Pick up your FREE Windows or UNIX Snort installation guides      
mailto:support at ...9077... <mailto:support at ...9077...> 
Website: http://www.winsnort.com <http://www.winsnort.com> 
Snort: Open Source Network IDS - http://www.snort.org <http://www.snort.org>


From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Shaffer, Paul
Sent: Wednesday, December 31, 2003 8:07 AM
To: snort at ...10813...; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored


Uh, I think maybe you're heading the wrong way here.  The lack of an IP
address on your sensor interface has absolutely nothing to do with database
output.  I have an almost identical setup running (2.1, though), no probs.
Maybe an obvious question, but how do you know_for_sure Snort is not
outputting to the database?  Have you tested it by invoking some known
alerts from an external source?  Sorry, had to ask...




-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of snort
Sent: Wednesday, December 31, 2003 8:51 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snor logging to mysql with no ip on monitored

1)       I am making the assumption that logging to MySQL is not possible if
the interface I am monitoring does not have an IP. Can someone confirm that?

2)       Since I am able to log to a flat file, and I would like to use
ACID, can someone point me to a flat file to MySQL script that I can use to
populate MySQL with a cron job?



I have Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) under windows with acid.
Everything is working fine on interface Logging to the db works
fine, etc. I put in a second NIC and set it up under XP with no IP address.
Ethereal can sniff packets on the interface just fine. I have snort
configured for the second interface, but it cannot log to the mysql
database. I added an output plugin for file and was able to see alerts from
it. What am I doing wrong?



Cable modem-----------dumb hub---------linksys fw--------- interface

interface 2



Snort output:


D:\EagleX\snort\bin>D:\EagleX\Snort\bin\snort.exe -c
"D:\EagleX\Snort\etc\snort.conf" -l "D:\EagleX\Snort\logs" -i 2 -h 192.1

0/24 -X -z

Running in IDS mode

Log directory = D:\EagleX\Snort\logs


Initializing Network Interface


        --== Initializing Snort ==--

Initializing Output Plugins!

Decoding Ethernet on interface

Initializing Preprocessors!

Initializing Plug-ins!

Parsing Rules file D:\EagleX\Snort\etc\snort.conf



Initializing rule chains...

No arguments to frag2 directive, setting defaults to:

    Fragment timeout: 60 seconds

    Fragment memory cap: 4194304 bytes

    Fragment min_ttl:   0

    Fragment ttl_limit: 5

    Fragment Problems: 0

    Self preservation threshold: 500

    Self preservation period: 90

    Suspend threshold: 1000

    Suspend period: 30

Stream4 config:

    Stateful inspection: ACTIVE

    Session statistics: INACTIVE

    Session timeout: 30 seconds

    Session memory cap: 8388608 bytes

    State alerts: INACTIVE

    Evasion alerts: INACTIVE

    Scan alerts: ACTIVE

    Log Flushed Streams: INACTIVE

    MinTTL: 1

    TTL Limit: 5

    Async Link: 0

    State Protection: 0

    Self preservation threshold: 50

    Self preservation period: 90

    Suspend threshold: 200

    Suspend period: 30

Stream4_reassemble config:

    Server reassembly: ACTIVE

    Client reassembly: ACTIVE

    Reassembler alerts: ACTIVE

    Ports: 21 23 25 53 80 110 111 143 513 1433

    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433

http_decode arguments:

    Unicode decoding

    IIS alternate Unicode decoding

    IIS double encoding vuln

    Flip backslash to slash

    Include additional whitespace separators

    Ports to decode http on: 80 8877 8888

rpc_decode arguments:

    Ports to decode RPC on: 111 32771

    alert_fragments: INACTIVE

    alert_large_fragments: ACTIVE

    alert_incomplete: ACTIVE

    alert_multiple_requests: ACTIVE

telnet_decode arguments:

    Ports to decode telnet on: 21 23 25 119

Using LOCAL time

Conversation Config:

   KeepStats: 0

   Conv Count: 65535

   Timeout   : 60

   Alert Odd?: 1

   Allowed IP Protocols:  All


database: compiled support for ( mysql odbc )

database: configured to use Mysql

database:          host = localhost

database:          port = 7788

database: database name = snort

database:          user = snort

database: password is set

database:   sensor name = inet

database: detail level  = full

database:     sensor id = 3

database: schema version = 106

database: using the "alert" facility

1581 Snort rules read...

1581 Option Chains linked into 197 Chain Headers

0 Dynamic rules



Rule application order: ->activation->dynamic->alert->pass->log


        --== Initialization Complete ==--


-*> Snort! <*-

Version 2.0.1-ODBC-MySQL-WIN32 (Build 88)

By Martin Roesch (roesch at ...1935..., www.snort.org)

1.7-WIN32 Port By Michael Davis (mike at ...92...,

1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid at ...3029...)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031231/44d479e1/attachment.html>

More information about the Snort-users mailing list