[Snort-users] Snort logging to mysql with no ip on monitored interface

snort snort at ...10813...
Wed Dec 31 14:36:01 EST 2003


I tried that, but if you leave off the -l switch it complains..
 
D:\EagleX>D:\EagleX\Snort\bin\snort.exe -c
"D:\EagleX\Snort\etc\snort.conf"  -i 2
Running in IDS mode
Log directory = log
ERROR:
[!] ERROR: Can not get write access to logging directory "log".
(directory doesn't exist or permissions are set incorrectly
or it is not a directory at all)
 
Fatal Error, Quitting..
 
 
This is really strange. If I just change the interface alerts do not
work with either file or db. 
I have a web page http://www.cheerleaders4free.com/ that will set off an
alert. With ethereal, I can capture the packets just fine on interface
2:
 
01f0  65 72 73 2e 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61   ers.">..<meta na
0200  6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f   me="keywords" co
0210  6e 74 65 6e 74 3d 22 63 68 65 65 72 6c 65 61 64   ntent="cheerlead
0220  65 72 20 73 65 78 2c 20 6e 75 64 65 20 63 68 65   er sex, nude che
0230  65 72 6c 65 61 64 65 72 73 2c 20 63 68 65 65 72   erleaders, cheer
0240  6c 65 61 64 65 72 20 66 75 63 6b 69 6e 67 2c 20   leader fucking, 
0250  63 68 65 65 72 67 69 72 6c 2c 20 4c 69 67 68 74   cheergirl, Light
 
If I change to i-1, I get the alert and the log just fine
 
D:\EagleX\snort>D:\EagleX\Snort\bin\snort.exe -c
"D:\EagleX\Snort\etc\snort.conf"  -i 2
Running in IDS mode
Log directory = log
 
Initializing Network Interface
\Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface
\Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file D:\EagleX\Snort\etc\snort.conf
 
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
database: compiled support for ( mysql odbc )
database: configured to use Mysql
database:          host = localhost
database:          port = 7788
database: database name = snort
database:          user = snort
database: password is set
database:   sensor name = inet
database: detail level  = full
database:     sensor id = 3
database: schema version = 106
database: using the "alert" facility
1581 Snort rules read...
1581 Option Chains linked into 197 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
 
Rule application order: ->activation->dynamic->alert->pass->log
 
        --== Initialization Complete ==--
 
-*> Snort! <*-
Version 2.0.1-ODBC-MySQL-WIN32 (Build 88)
By Martin Roesch (roesch at ...1935..., www.snort.org)
1.7-WIN32 Port By Michael Davis (mike at ...92...,
www.datanerds.net/~mike)
1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid at ...3029...)
 
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
CMartin at ...9696...
Sent: Wednesday, December 31, 2003 1:57 PM
To: michaels at ...9077...
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored
interface
 
Howdy,
 
I think I found your problem.  I'm running snort on linux, but I think
the command line is the same.  There are times when I would like to log
to a directory and not log to a database.  I still make a reference to
the conf file that has all my database login information but then in the
command line I specify it to log to a directory using the -l (log)
switch, as you do in your command line.  In my experience when you use
the -l switch in the command line, it overwrites all logging options
specified in your conf file.  So try removing the -l switch and see if
that helps.  If you want to log to both the directory and the database,
specify that in the conf file.
 
Chris
 
 
 
 
-----Original Message-----
From: Michael Steele [mailto:michaels at ...9077...] 
Sent: Wednesday, December 31, 2003 10:38 AM
To: 'Snort Users List'
Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored
interface
 
You can do a tcpdump on the database port and see any alerts that are
being passed to it, while running a scan of the system using some
vulnerability scanner.
Kindest regards,

The WINSNORT.com Management Team
--
Pick up your FREE Windows or UNIX Snort installation guides      
mailto:support at ...9077...
Website: http://www.winsnort.com
Snort: Open Source Network IDS - http://www.snort.org
  _____  

From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Shaffer,
Paul D
Sent: Wednesday, December 31, 2003 8:07 AM
To: snort at ...10813...; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snor logging to mysql with no ip on monitored
interface
 
Uh, I think maybe you're heading the wrong way here.  The lack of an IP
address on your sensor interface has absolutely nothing to do with
database output.  I have an almost identical setup running (2.1,
though), no probs.  Maybe an obvious question, but how do you
know_for_sure Snort is not outputting to the database?  Have you tested
it by invoking some known alerts from an external source?  Sorry, had to
ask...
 
Paul
 
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of snort
Sent: Wednesday, December 31, 2003 8:51 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snor logging to mysql with no ip on monitored
interface
1)       I am making the assumption that logging to MySQL is not
possible if the interface I am monitoring does not have an IP. Can
someone confirm that?
2)       Since I am able to log to a flat file, and I would like to use
ACID, can someone point me to a flat file to MySQL script that I can use
to populate MySQL with a cron job?
 
 
I have Version 2.0.1-ODBC-MySQL-WIN32 (Build 88) under windows with
acid. Everything is working fine on interface 10.0.0.1. Logging to the
db works fine, etc. I put in a second NIC and set it up under XP with no
IP address. Ethereal can sniff packets on the interface just fine. I
have snort configured for the second interface, but it cannot log to the
mysql database. I added an output plugin for file and was able to see
alerts from it. What am I doing wrong?
 
 
Cable modem-----------dumb hub---------linksys fw---------10.0.0.1
interface 1
                                     |_______________________0.0.0.0
interface 2
 
 
Snort output:
 
D:\EagleX\snort\bin>D:\EagleX\Snort\bin\snort.exe -c
"D:\EagleX\Snort\etc\snort.conf" -l "D:\EagleX\Snort\logs" -i 2 -h 192.1
0/24 -X -z
Running in IDS mode
Log directory = D:\EagleX\Snort\logs
 
Initializing Network Interface
\Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface
\Device\NPF_{B7264AA4-8C2E-489E-951C-A32498F2FD36}
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file D:\EagleX\Snort\etc\snort.conf
 
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports: 21 23 25 53 80 110 111 143 513 1433
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 8877 8888
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
Using LOCAL time
Conversation Config:
   KeepStats: 0
   Conv Count: 65535
   Timeout   : 60
   Alert Odd?: 1
   Allowed IP Protocols:  All
 
database: compiled support for ( mysql odbc )
database: configured to use Mysql
database:          host = localhost
database:          port = 7788
database: database name = snort
database:          user = snort
database: password is set
database:   sensor name = inet
database: detail level  = full
database:     sensor id = 3
database: schema version = 106
database: using the "alert" facility
1581 Snort rules read...
1581 Option Chains linked into 197 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
 
Rule application order: ->activation->dynamic->alert->pass->log
 
        --== Initialization Complete ==--
 
-*> Snort! <*-
Version 2.0.1-ODBC-MySQL-WIN32 (Build 88)
By Martin Roesch (roesch at ...1935..., www.snort.org)
1.7-WIN32 Port By Michael Davis (mike at ...92...,
www.datanerds.net/~mike)
1.8 - 2.0 WIN32 Port By Chris Reid (chris.reid at ...3029...)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031231/46abea2f/attachment.html>


More information about the Snort-users mailing list