[Snort-users] Re: SnortCenter Configuration

Roy S. Rapoport snort-users at ...9230...
Fri May 30 00:27:02 EDT 2003


On Thu, May 29, 2003 at 11:44:57PM -0700, Roy S. Rapoport wrote:
> Is this even the best place to ask Snort Center questions?
> http://users.pandora.be/larc/index.html doesn't seem to mention any
> snortcenter-specific mailing lists.
> 
> I actually had Snort working well in standalone mode, and I'm trying to
> integrate it into SnortCenter (so I'll initially have SnortCenter manage
> one agent).  SnortCenter and Agent talk well with each other; I've
> uploaded the config file I was using originally, but I'm having a
> problem with the rules.  Specifically, if I do admin->import/update
> rules->update from internet, I get "No update this time..." which is not
> necessarily all that descriptive.  Nothing new? Couldn't find anything
> Dunno.
> 
> I obviously don't want to hand-enter a whole bunch of different rules.
> Any suggestions?

I figured out, at least preliminarily, what was going on.

On my system, snortcenter was attempting to download the files by using:
$fp=popen($curl_path."curl -s $proxyline $snortrules_url 2>/dev/null | tar xzOf - rules/*.rules rules/*.conf rules/*.config", "r");

However, on Solaris tar cannot cope with compressed files.  I needed to
use gtar (the gnu tar) and fully qualify it.  So this:
$fp=popen($curl_path."curl -s $proxyline $snortrules_url 2>/dev/null | /usr/local/bin/gtar xzOf - rules/*.rules rules/*.conf rules/*.config", "r");

Worked.  Kinda.  After running this and having SnortCenter see all the
rules, I attempted to do it again for no particularly good reason, and
got:
Database ERROR:Database ERROR:Unknown column 'byte_jump' in 'field list'

Which I suppose makes sense:  There are several DB queries that seem to
rely on a byte_jump column in uricontent:
---
151 nag /usr/local/snortcenter # grep byte_jump * | grep "SELECT"
rules.php:        $result_content = $db->acidExecute("SELECT content, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test  FROM content WHERE sid='$sid'");
rules.php:        $result_uricontent = $db->acidExecute("SELECT uricontent, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test FROM uricontent WHERE sid='$sid'");
sensor.inc.php:                    $result_content = $db->acidExecute("SELECT content, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test FROM content WHERE sid='$sid'");
sensor.inc.php:                    $result_uricontent = $db->acidExecute("SELECT uricontent, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test FROM uricontent WHERE sid='$sid'");
sensor_rules.php:        $result_content = $db->acidExecute("SELECT content, off_set, depth, nocase, regex, rawbytes, distance, within, byte_jump, byte_test FROM content WHERE sid='$sid'");
sensor_rules.php:        $result_uricontent = $db->acidExecute("SELECT uricontent, off_set, depth, nocase, regex, distance, within, byte_jump, byte_test FROM uricontent WHERE sid='$sid'");
r--

But when uricontent is created, it's created thus:
CREATE TABLE uricontent (
  sid bigint(20) unsigned NOT NULL default '0',
  uricontent longtext,
  off_set varchar(4) default NULL,
  depth varchar(4) default NULL,
  nocase varchar(6) default NULL,
  regex varchar(5) default NULL,
  KEY sid (sid)
) TYPE=MyISAM;

So, obviously, you get database errors.

I'm hearing of a lot of people happily using SnortCenter.  The problems
I'm encountering are so darn basic, I'm wondering if there's something
fundamentally different or broken about my setup (one possibility for
the tar issue is that nobody considered that SnortCenter might be run on
a non-BSD/non-Linux system, for example), or if, in fact, someone was
just damn sloppy with this latest version of SnortCenter.

Thoughts?

-roy





More information about the Snort-users mailing list