[Snort-users] Arrrghhh!....help..me...

Tim twrodriguez at ...741...
Wed May 28 17:49:11 EDT 2003


Frustration has set in and the answer is problably under my nose and can't see it. I really need for someone  to please point it out for me.

I'm not new to snort or configuring ACID, MySQL with its accompanying programs in order to help view alerts in ACID.....ie., gd, php, phplot..etc. JPgraph is new and I haven't had a chance to play with it...yet..

First, I'm running RH 7.3 completely updated through the RHN on two machines...hardware is exactly the same on both machines....plenty of processing power and memory......500mhz/256 MB and a 9GB IDE drive. Plenty for my little home-network-lab. The firewall is Iptables latest version on a separate machine with the same (3 NICs) hardware, totally setup and functional. 

On the snort (Version 2.0) machine I have 4 NICs one for management and the other three for the sensors. 

eth0 ---> Management
eth1----> LAN
eth2----> INTERNET
eth3----> DMZ

I have 3 poor man taps, (hubs), for my sensors to monitor the traffic. Snort was configured with --with-mysql=DIR for database support. Snort is up and running fine...this is the script I use to fire up snort: 

#!/bin/sh
#
# snortd         Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# description:  snort is a lightweight network intrusion detection tool 
#
# Source function library.
. /etc/rc.d/init.d/functions

# Specify network interface here
INTERFACE1=eth1
INTERFACE2=eth2
INTERFACE3=eth3
SNORT=/usr/local/bin/snort  

# How they are called.
case "$1" in
  start)
        echo -n "Starting snort sensor INET: "
      ifconfig eth1 promisc up
        daemon $SNORT -o -i $INTERFACE1 -d -D \
      -c /etc/snort/rules/snort-inet.conf
        touch /var/lock/subsys/snort1
      echo
      echo -n "Starting snort sensor LAN: "
      ifconfig eth2 promisc up
      daemon $SNORT -o -i $INTERFACE2 -d -D \
      -c /etc/snort/rules/snort-lan.conf
      touch /var/lock/subsys/snort2
      echo
      echo -n "Starting snort sensor DMZ: "
      ifconfig eth3 promisc up
      daemon $SNORT -o -i $INTERFACE3 -d -D \
      -c /etc/snort/rules/snort-dmz.conf
      touch /var/lock/subsys/snort3
      echo
      ;;
  stop)
        echo -n "Stopping snort: "
        killproc snort
        rm -f /var/lock/subsys/snort*
      echo
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  status)
        status snort
        ;;
  *)
        echo "Usage: $0 {start|stop|restart|status}"
        exit 1

exit 0



This works well...any suggestion for improvement will be appreciated.

The snort-.....conf files have had their output plugins configured as such:



output database: log, mysql, user=snort password=xxxxxx dbname=snort host=x.x.x.x sensor_name=xxxxx


On the ACID box I have installed:
Apache 1.3.27



MySQL 3.23.56-1
MySQL-client 3.23.56-1
MySQL-shared 3.23.56-1

commands used: set password for 'root'@'localhost'=password('mypassword');
               creat database snort; 
               connect snort
               source create_mysql
               grant CREATE,INSERT,SELECT,DELETED,UPDATE on snort.* to snort;
               "                                                      "snort at ...274...;
               connect mysql
                              set password for 'snort'@'localhost' =password('mypassword');
                              set password for 'snort'@'%'=password('mypassword');
               flush privileges;
               exit
php-4.1.2-73.6
php-mysql-4.1.2-7.3

Untarred and copied the following files to /var/www/html

acid 0.9.6b23
adodb331
gd 1.8.4
phplot 4.4.6

Variables on ACID are as follows
$DBlig_path="../adodb";
$alert_dbname="snort";
$alert_user="snort";
alert_password="xxxx";
$CharLib_path="../phplot";

This should be enough for me to be able to start snort and log alerts to the database and view them with ACID or at least I thought so. It seems that the sensors are being inserted to the mysql database, however they are not viewable through ACID and snort is not logging alerts to the database.....even though it does capture packets and they viewable real time through the output on screen...no error messages from anywhere that I have been able to see so far ("tail -100 /var/log/messages"). I know, I know, switch from log to alert in the output database line, but I have done that to no avail. Snort fires up correctly and the fact that the sensors are being inserted into the database shows me that their is connectivity with the MySQL snort database...I'm at a lost. Any help will be gratefully appreciated. I have re-installed the system twice now and on the brink of sheer frustration ... The funny thing is that I have installed the Snort/ACID IDS system prior to snort 2.0 with not much trouble on numerous occassions.


Tim--Mia/Fla
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030528/c5216272/attachment.html>


More information about the Snort-users mailing list