[Snort-users] Problems with AICD seeing Sensors

Allyn Baskerville allynb at ...9465...
Wed Jun 18 14:20:15 EDT 2003

I sent in a question a few days ago, and I thought it was resolved. I had an
older version of Snort with ACID running on RH7.2, which I upgraded to
RH9.0. I followed Snort Enterprise Implementation by Steven Scott, with the
exception of some newer files and running ACID and SNORT on a single system.
After a few responses the first time I experienced this, ACID started seeing
the sensor interfaces and logging began working what I thought was due to a

I repeated the installation for a client, and I'm having the same issue.
After several hours, I can't seem to find what the problem is. Here are the
symptoms... I create a new instance of the sensor in SnortCenter, set the
appropriate variables, set the output plug-in, push it onto the sensor and
start it. The sensor turns green, but it never logs anything nor does ACID
show there is even an active sensor. When I run the commands from the
command line, I still don't see any errors. Snort sees the events, though -
it just doesn't log them.

After manipulating the settings in Snort Center and restarting various
services (even rebooting), I still am unable to get any events to appear in
ACID for some time. Then mysteriously, the events will start appearing, and
the logs are being populated. It sure seems as if communication is broken
between Snort and ACID, but I've verified usernames and passwords, database
settings, and that the server responds on the proper ports. I currently have
all Sensors running, but they go down periodically and I have to manually
restart them. I'd appreciate your thoughts on this. Thank you. Allyn

The command line is snort -i eth1 -U -o -c /etc/snort/snort.eth1.conf, and
the snort.eth1.conf file is as follows:

# Snort Configuration file for < ADSSensor1 >
# Created with SnortCenter v1.0 RC1 < http://users.pandora.be/larc/ >
# $Id: snort.conf, Wednesday 18th of June 2003 10:41:17 PM
# Next variable automatic added by SnortCenter, used in some rule(s).
var HOME_NET any
# Next variable automatic added by SnortCenter, used in some rule(s).
output database: log, mysql, user=snort password=xxxxxxxx dbname=snort
host=ADS-IDS sensor_name=ADSSensor1
# $Id: classification.config, Wednesday 18th of June 2003 10:41:17 PM
# Next classification automatic added by SnortCenter, used in some rule(s).
config classification: bad-unknown,Potentially Bad Traffic, 2
# $Id: attack-responses.rules, Wednesday 18th of June 2003 10:41:17 PM
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( sid: 1292; rev: 7; msg:
"ATTACK-RESPONSES directory listing"; flow: from_server,established;
content:  "Volume Serial Number"; classtype: bad-unknown;)

When I follow the command line with a -T, the following is returned:

[root at ...9506... snort]# snort -i eth1 -U -o -c /etc/snort/snort.eth1.conf -T
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth1
OpenPcap() device eth1 network lookup:
        eth1: no IPv4 address assigned

        --== Initializing Snort ==--
Rule application order changed to Pass->Alert->Log
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.eth1.conf

Initializing rule chains...
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: password is set
database: database name = snort
database:          host = ADS-IDS
database:   sensor name = ADSSensor1
database:     sensor id = 8
database: schema version = 106
database: using the "log" facility
1 Snort rules read...
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules

Rule application order: ->pass->activation->dynamic->alert->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.0.0 (Build 72)
By Martin Roesch (roesch at ...1935..., www.snort.org)

Snort sucessfully loaded all rules and checked all rule chains!
database: Closing connection to database "snort"
Snort exiting
[root at ...9506... snort]#

More information about the Snort-users mailing list