[Snort-users] TCP and ACID

Thompson, Jimi JimiT at ...10836...
Fri Apr 2 08:14:00 EST 2004


There are some extra tables for ACID but there is a SQL script with ACID
that should supply you with the necessary information.  You will need to
run the  create_acid_tbls_mssql.sql that should be located in the
directory where you unpacked the ACID files.  What ever your chosen
method for running SQL scripts against your database (command line or
GUI interface), you will have to run this in order to be able to run
ACID.  PHP should work fine from an IIS perspective.  I'm unfamiliar
with how PHP connects to MSSQL via IIS.  I know that via other web
servers, you need to have the right parameters compiled in to PHP in
order to support connections to other databases (Oracle, PostgreSQL,
MySQL, etc.) so I'm guessing that it would be the same with MSSQL.  If I
recall correctly MSSQL can be accessed by non-Microsoft software via a
simple ODBC connection so perhaps compiling PHP -with-odbc might work.
Then again, it is a Microsoft product.    

 

Seriously, if this gets to be too big a headache, I'll send you a series
of articles I've been working on that cover installing FreeBSD, Snort,
MySQL and ACID for the Windows user.  They come with hand-holding
directions and sample config files.  The series isn't done yet, but I
have more than enough to get you started.

 

 

Thanks,

 

Jimi

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Shawn
Kottke
Sent: Thursday, April 01, 2004 5:00 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] TCP and ACID

 

It seems to me that the problem seems to not be with snort, but perhaps
with the ACID config and/or php compiled with MSSQL support.

I am not sure if php compiles with MSSQL support. I have not looked into
it, but I assume that it would.

I also seem to recall from the directions that I used to configure snort
to work with mysql and acid that there was a command that I had to run
that extended the database by three tables from the basic snort DB. I
believe these tables are to support acid. Although, someone who knows
more could attest if this is true or not. Perhaps smething like this was
missed as you were setting up your system.

Just a few thoughts.


Shawn Kottke
Datalink Corporation


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
<snort-users-admin at lists.sourceforge.net>
To: Michael Steele <michaels at ...9077...>;
snort-users at lists.sourceforge.net <snort-users at lists.sourceforge.net>
Sent: Thu Apr 01 15:07:30 2004
Subject: RE: [Snort-users] TCP and ACID

Hi Micheal,

>>Do a TCPDump on port 1433 and make SURE you are getting alerts.
Done this, looks OK to me

>>Telnet <IP_Address> 1433 and you should get a response back from the
MSSQL
database.
This is OK too. I checked and the tables are being populated

>>Make sure your HONE_NET is correct. Try "HOME_NET any"
Is set to "any"

>>Is there a way to compile this without using FLEXResp?
Do know what you mean?

>>Do you have libnetNT.dll installed?
Yes, installed in snort\bin directory

** I am lost and not sure how to continue. The thing I am not sure is,
if my snort commands are OK - is set to:
snort -l d:\snort\log -c d:\snort\etc\snort.conf

** I also have followed exactly as it says in the installation guide,
with the exception that I have installed it in \snort instead of
\application directory, which don't think will matters ( and ofcourse I
am consistent throughout)

Sorry to bother you again and thanks for your help.


John Kromodimedjo
UNAIDS-Geneva





> -----Original Message-----
> From: Kromodimedjo, John [mailto:kromodimedjoj at ...11499...]
> Sent: Wednesday, March 31, 2004 1:48 PM
> To: Michael Steele; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] TCP and ACID
>
> Hi thanks for your reply.
>
>
> >1) Is Snort really running?
> Yes.
>
> >2) snort -v (You should see traffic)
> Yes, I do - lots of traffic
>
> >3) Are you on a switch?
> Nope.
>
> >4) snort <full run line> -T (This should give you some useful
> information)
> Everything looks OK - See attached snortrun.txt
>
>
> >5) TCPDump the port to see if traffic is really getting there
> Yes....all is fine
>
> >6) Check the logs for errors
> No errors
>
> >7) is Snort creating the alert.ids in the log folder?
> Yes is being created and has data.
>
> I have included my snort.conf file. Do you think the 2 lines below can
> be together because I got a MSSQL error too...duplicate primary key
but
> if I take one of the line out it does not.
>
> output database: log, mssql, user=snort password=snort123 dbname=snort
> host=158.232.85.36 port=1433 sensor_name=GE-3E-06
>
> output database: alert, mssql, user=snort password=snort123
dbname=snort
> host=158.232.85.36 port=1433 sensor_name=GE-3E-06
>
>
> Million thanks for your help.
>
>
> John Kromodimedjo
> UNAIDS - Geneva
> ----------------------------------------------------
>
>
>
> Kindest regards,
>
> The WINSNORT.com Management Team
> --
> Pick up your FREE Windows or UNIX Snort installation guides
> mailto:support at ...9077...
> Website: http://www.winsnort.com
> Snort: Open Source Network IDS - http://www.snort.org
>
>
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> > admin at lists.sourceforge.net] On Behalf Of Kromodimedjo, John
> > Sent: Wednesday, March 31, 2004 4:56 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] TCP and ACID
> >
> > Hi all,
> >
> > I have installed snort with ACID on MSSQL. So, far so good. I have
> left
> > it running for one night and I know it captured TCP packets but
> nothing
> > comes up in ACID.
> >
> > Do you know what I am doing wrong??
> >
> > Here is part of my snort.conf.
> >
> > Thanks.
> >
> > John
> > UNAIDS-Geneva
> >
> >
> > -----------------------------------
> >
> >
> > var HOME_NET any
> > var EXTERNAL_NET any
> > var DNS_SERVERS $HOME_NET
> > var SMTP_SERVERS $HOME_NET
> > var HTTP_SERVERS $HOME_NET
> > var SQL_SERVERS $HOME_NET
> > var TELNET_SERVERS $HOME_NET
> > var SNMP_SERVERS $HOME_NET
> > var HTTP_PORTS 80
> > var SHELLCODE_PORTS !80
> > var ORACLE_PORTS 1521
> >
> > var AIM_SERVERS
> >
>
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,
> > 64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
> >
> > var RULE_PATH d:\snort\rules
> > preprocessor flow: stats_interval 0 hash 2
> > preprocessor frag2
> > preprocessor stream4: disable_evasion_alerts
> > preprocessor stream4_reassemble
> > preprocessor http_inspect: global \
> >     iis_unicode_map unicode.map 1252
> >
> > preprocessor http_inspect_server: server default \
> >     profile all ports { 80 8080 8180 } oversize_dir_length 500
> >
> >
> > preprocessor rpc_decode: 111 32771
> > preprocessor bo
> > preprocessor telnet_decode
> >
> > preprocessor portscan:$HOME_NET 4 3 d:\snort\log\portscan.log
> >
> > output alert_fast:alert.ids
> >
> > output database: log, mssql, user=snort password=snort123
dbname=snort
> > host=158.232.85.36 port=1433 sensor_name=GE-3E-06
> > output database: alert, mssql, user=snort password=snort123
> dbname=snort
> > host=158.232.85.36 port=1433 sensor_name=GE-3E-06
> >
> >
> > include d:\snort\etc\classification.config
> > include d:\snort\etc\reference.config
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: IBM Linux Tutorials
> > Free Linux tutorial presented by Daniel Robbins, President and CEO
of
> > GenToo technologies. Learn everything from fundamentals to system
> > administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=ort-users
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users






-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040402/772e0071/attachment.html>


More information about the Snort-users mailing list