[Snort-users] Mysql, log and portscan..

Marco A. mateos specka at ...7977...
Sat Jan 11 12:21:06 EST 2003


Hello, I'm a new user from snort 1.9.0 on redhat 7.2 (snort+snort+ACID)

I have a problem and don't see solution.

In my case, I want to have the log / var/log/snort and also to send the
logs to mysql.

In my file snort.conf has:

var HOME_NET $eth0_ADDRESS
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET 207.218.223.134 207.218.192.38
#var RULE_PATH ./
var SHELLCODE_PORTS !80
var HTTP_PORTS 80
var ORACLE_PORTS 1521

preprocessor frag2

preprocessor stream4: detect_scans, disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_decode: 80 -unicode -cginull

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor telnet_decode

preprocessor portscan: $HOME_NET 4 3 portscan.log

# This derective not know wht I can use
#preprocessor portscan-ignorehosts

output alert_syslog: LOG_AUTH LOG_ALERT

#output log_tcpdump: snort.log

output database: alert, mysql, user=myuser dbname=snort host=localhost
password=mypass

include classification.config

include bad-traffic.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules
include tftp.rules
include web-cgi.rules
include web-coldfusion.rules
include web-iis.rules
include web-frontpage.rules
include web-misc.rules
include web-attacks.rules
include sql.rules
include x11.rules
include icmp.rules
include netbios.rules
include misc.rules
include attack-responses.rules
include backdoor.rules
include shellcode.rules
include policy.rules
include porn.rules
include info.rules
include icmp-info.rules
include virus.rules
include local.rules



And in the file snort init:

. /etc/rc.d/init.d/functions

INTERFACE=eth0

# See how we were called.
case "$1" in
  start)
	echo -n "Starting snort: "
        cd /var/log/snort
#####################################################################
        ### This line change activitie That write to log
/var/log/snort/alert
	daemon /usr/sbin/snort -A full -b -l /var/log/snort -d -D \
		 -i $INTERFACE -c /etc/snort/snort.conf
#####################################################################
        ## If delete -A full -b  Write to mysql database snort
#####################################################################        
	touch /var/lock/subsys/snort
	echo
	;;
  stop)
	echo -n "Stopping snort: "
	killproc snort
	rm -f /var/lock/subsys/snort
	echo 
	;;
  restart)
	$0 stop
	$0 start
	;;
  status)
	status snort
	;;
  *)
	echo "Usage: $0 {start|stop|restart|status}"
	exit 1
esac

exit 0

Neither it works.
The logs goes to the text file, or to mysql.
In any case I am able to see scan of ports, and for another tool I am
certain that I have them (portsentry).

I like write log to alert and portscan also because I like send with
extractor 4.0 to https://analyzer.securityfocus.com/. 
All to mysql database for see with ACID. All afternoon, work with this. 


Thanks for you help. My english it's bad.



-- 
Marco A. Mateos - Linux User: 209189
www.lomejordeinternet.net / specka.com
graficas.lomejordeinternet.net - Portal de Artes Gráficas
hosting.lomejordeinternet.net - Hosting, housing y consultoria
specka at ...7978... / ICQ: 172542875
Clave Pública disponible en pgp.rediris.es
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Esta parte del mensaje esta firmada digitalmente
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030111/a621cc7c/attachment.sig>


More information about the Snort-users mailing list