[Snort-users] TCP and ACID

Kromodimedjo, John kromodimedjoj at ...11499...
Thu Apr 1 13:08:17 EST 2004


Hi Micheal,

>>Do a TCPDump on port 1433 and make SURE you are getting alerts.
Done this, looks OK to me

>>Telnet <IP_Address> 1433 and you should get a response back from the
MSSQL
database.
This is OK too. I checked and the tables are being populated

>>Make sure your HONE_NET is correct. Try "HOME_NET any"
Is set to "any"

>>Is there a way to compile this without using FLEXResp?
Do know what you mean?

>>Do you have libnetNT.dll installed?
Yes, installed in snort\bin directory

** I am lost and not sure how to continue. The thing I am not sure is,
if my snort commands are OK - is set to:
snort -l d:\snort\log -c d:\snort\etc\snort.conf

** I also have followed exactly as it says in the installation guide,
with the exception that I have installed it in \snort instead of
\application directory, which don't think will matters ( and ofcourse I
am consistent throughout)

Sorry to bother you again and thanks for your help.


John Kromodimedjo
UNAIDS-Geneva





> -----Original Message-----
> From: Kromodimedjo, John [mailto:kromodimedjoj at ...11499...]
> Sent: Wednesday, March 31, 2004 1:48 PM
> To: Michael Steele; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] TCP and ACID
> 
> Hi thanks for your reply.
> 
> 
> >1) Is Snort really running?
> Yes.
> 
> >2) snort -v (You should see traffic)
> Yes, I do - lots of traffic
> 
> >3) Are you on a switch?
> Nope.
> 
> >4) snort <full run line> -T (This should give you some useful
> information)
> Everything looks OK - See attached snortrun.txt
> 
> 
> >5) TCPDump the port to see if traffic is really getting there
> Yes....all is fine
> 
> >6) Check the logs for errors
> No errors
> 
> >7) is Snort creating the alert.ids in the log folder?
> Yes is being created and has data.
> 
> I have included my snort.conf file. Do you think the 2 lines below can
> be together because I got a MSSQL error too...duplicate primary key
but
> if I take one of the line out it does not.
> 
> output database: log, mssql, user=snort password=snort123 dbname=snort
> host=158.232.85.36 port=1433 sensor_name=GE-3E-06
> 
> output database: alert, mssql, user=snort password=snort123
dbname=snort
> host=158.232.85.36 port=1433 sensor_name=GE-3E-06
> 
> 
> Million thanks for your help.
> 
> 
> John Kromodimedjo
> UNAIDS - Geneva
> ----------------------------------------------------
> 
> 
> 
> Kindest regards,
> 
> The WINSNORT.com Management Team
> --
> Pick up your FREE Windows or UNIX Snort installation guides
> mailto:support at ...9077...
> Website: http://www.winsnort.com
> Snort: Open Source Network IDS - http://www.snort.org
> 
> 
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> > admin at lists.sourceforge.net] On Behalf Of Kromodimedjo, John
> > Sent: Wednesday, March 31, 2004 4:56 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] TCP and ACID
> >
> > Hi all,
> >
> > I have installed snort with ACID on MSSQL. So, far so good. I have
> left
> > it running for one night and I know it captured TCP packets but
> nothing
> > comes up in ACID.
> >
> > Do you know what I am doing wrong??
> >
> > Here is part of my snort.conf.
> >
> > Thanks.
> >
> > John
> > UNAIDS-Geneva
> >
> >
> > -----------------------------------
> >
> >
> > var HOME_NET any
> > var EXTERNAL_NET any
> > var DNS_SERVERS $HOME_NET
> > var SMTP_SERVERS $HOME_NET
> > var HTTP_SERVERS $HOME_NET
> > var SQL_SERVERS $HOME_NET
> > var TELNET_SERVERS $HOME_NET
> > var SNMP_SERVERS $HOME_NET
> > var HTTP_PORTS 80
> > var SHELLCODE_PORTS !80
> > var ORACLE_PORTS 1521
> >
> > var AIM_SERVERS
> >
>
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
> > 64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
> >
> > var RULE_PATH d:\snort\rules
> > preprocessor flow: stats_interval 0 hash 2
> > preprocessor frag2
> > preprocessor stream4: disable_evasion_alerts
> > preprocessor stream4_reassemble
> > preprocessor http_inspect: global \
> >     iis_unicode_map unicode.map 1252
> >
> > preprocessor http_inspect_server: server default \
> >     profile all ports { 80 8080 8180 } oversize_dir_length 500
> >
> >
> > preprocessor rpc_decode: 111 32771
> > preprocessor bo
> > preprocessor telnet_decode
> >
> > preprocessor portscan:$HOME_NET 4 3 d:\snort\log\portscan.log
> >
> > output alert_fast:alert.ids
> >
> > output database: log, mssql, user=snort password=snort123
dbname=snort
> > host=158.232.85.36 port=1433 sensor_name=GE-3E-06
> > output database: alert, mssql, user=snort password=snort123
> dbname=snort
> > host=158.232.85.36 port=1433 sensor_name=GE-3E-06
> >
> >
> > include d:\snort\etc\classification.config
> > include d:\snort\etc\reference.config
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: IBM Linux Tutorials
> > Free Linux tutorial presented by Daniel Robbins, President and CEO
of
> > GenToo technologies. Learn everything from fundamentals to system
> > administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users








More information about the Snort-users mailing list