[Snort-users] OpenBSD 3.4 snort--X-->mysql not working and I don't see any errors on startup

Jacob, Raymond A Jr raymond.jacob at ...7622...
Thu Apr 22 09:34:11 EDT 2004


Question: Why are no alerts being generated?
(I appologize in advance for long message.)

References:
(1)http://openbsddiary.org/index.php?page=snort#ConfigMySQL (not used)
(2) http://www.andrew.cmu.edu/~rdanyliw/snort/snortdb/snortdb_faq.html#faq_b1
(3) http://archives.neohapsis.com/archives/snort/2000-06/0181.html (used)

Lab equipment:
1. Windows laptop w/NMAP
2. OpenBSD 3.4 on intel w/snort, mysql,acid(and associated software to make acid run)
3. One cross connected twisted pair cable between 1.(laptop) and 2.(one port:ethernet1 on OpenBSD Bridge )

Procedure:
1. (OpenBSD)configure bridging on OpenBSD to monitor two(2) networks running one instance of 
snort.
2. start snort in sniffer mode:
/usr/local/bin/snort -dev -i bridge0
[block nonip, block outbound traffic to lans connected to bridge,allow ip traffic in]
3. (laptop)start nmap up run syn scan.
Results:snort dumps traffic to screen.
4. start snort:
/usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -D > /dev/null & echo -n ' snort'
5. (laptop)start nmap up run syn scan.
Results: database does not grow in size and alerts file is empty.
6.kill snort and run from the command line.
 /usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -o -N
[See: Script started on Wed Apr 21 18:24:42 2004 for screen dump]
Results: database does not grow in size and alerts file is empty.
Notice alot of arps. Probably because laptop is the only system
on this net with an ip address.
7.logged in as snort administrator(not root)
mysql> insert into sensor (hostname, interface, filter) VALUES 
    -> ('test1', 'test2', 'test3'); 
Query OK, 1 row affected (0.03 sec) 
# try selecting again 
mysql> select * from sensor; 
+-----+------------+-----------+--------+ 
| sid | hostname | interface | filter | 
+-----+------------+-----------+--------+ 
| 1 | unknown | bridge0 | NULL | 1
| 2 | test1 | test2 | test3 | 1
+-----+------------+-----------+--------+ 


Question: Why are no alerts being generated?

Data:
Script started on Wed Apr 21 18:24:42 2004
machine1# grep snort /etc/snort/snort/snortstart
#/etc/snort/snortstart
if [ -x /usr/local/bin/snort ]; then
#/usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -u snort -g snort -D > /dev/null & echo -n ' snort'
/usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -D > /dev/null & echo -n ' snort'
#/usr/bin/killall snort > /dev/null 2>&1 && echo - n ' snort'
...
machine1# /usr/local/bin/snort -c /etc/snort/snort.conf -i bridge0 -o -N
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface bridge0
OpenPcap() device bridge0 network lookup: 
        bridge0: no IPv4 address assigned

        --== Initializing Snort ==--
Rule application order changed to Pass->Alert->Log
Initializing Output Plugins!
Decoding Ethernet on interface bridge0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4099
| Overhead Bytes:  16400(%0.16)
`----------------------------------------------
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    flush_data_diff_size: 500
    Ports: 21 23 25 53 80 110 111 143 513 1433 
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /etc/snort/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Ports: 80 8080 8180 
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory: YES alert: NO
      Apache WhiteSpace: YES alert: YES
      IIS Delimiter: YES alert: YES
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = xxxx
database: password is set
database: database name = snort
database:          host = localhost
database:   sensor name = unknown:bridge0
database:     sensor id = 2
database: schema version = 106
database: using the "alert" facility
1679 Snort rules read...
1679 Option Chains linked into 156 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++


+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1      sig-id=2275       type=Threshold tracking=dst count=5   seconds=60 
+-----------------------[suppression]------------------------------------------
-------------------------------------------------------------------------------
Rule application order: ->pass->activation->dynamic->alert->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.1.2 (Build 25)
By Martin Roesch (roesch at ...1935..., www.snort.org)
^C

===============================================================================
Snort analyzed 264 out of 264 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 0          (0.000%)          ALERTS: 0         
    UDP: 9          (3.409%)          LOGGED: 0         
   ICMP: 0          (0.000%)          PASSED: 0         
    ARP: 255        (96.591%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
===============================================================================
Wireless Stats:
Breakdown by type:
    Management Packets: 0          (0.000%)
    Control Packets:    0          (0.000%)
    Data Packets:       0          (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
    Fragment Trackers: 0         
   Rebuilt IP Packets: 0         
   Frag elements used: 0         
Discarded(incomplete): 0         
   Discarded(timeout): 0         
  Frag2 memory faults: 0         
===============================================================================
TCP Stream Reassembly Stats:
        TCP Packets Used: 0          (0.000%)
         Stream Trackers: 0         
          Stream flushes: 0         
           Segments used: 0         
   Stream4 Memory Faults: 0         
===============================================================================
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.159130)/blocks (16686/3) Overhead blocks: 1 Could Hold: (73326)
IPV4 count: 2 frees: 0 low_time: 1082587587, high_time: 1082587588, diff: 0h:00:01s
    finds: 9 reversed: 0(%0.000000) 
    find_sucess: 7 find_fail: 2 percent_success: (%77.777778) new_flows: 2
 Protocol: 17 (%100.000000) finds: 9  reversed: 0(%0.000000) 
  find_sucess: 7 find_fail: 2 percent_success: (%77.777778) new_flows: 2
database: Closing connection to database ""
Snort exiting
machine1# exit
machine1# exit

Script done on Wed Apr 21 18:47:28 2004
Script started on Wed Apr 21 18:54:52 2004
machine1# mysql -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 17 to server version: 3.23.57-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use snort
Database changed
mysql> show tables;
+------------------+
| Tables_in_snort  |
+------------------+
| acid_ag          |
| acid_ag_alert    |
| acid_event       |
| acid_ip_cache    |
| data             |
| detail           |
| encoding         |
| event            |
| flags            |
| icmphdr          |
| iphdr            |
| opt              |
| protocols        |
| reference        |
| reference_system |
| schema           |
| sensor           |
| services         |
| sig_class        |
| sig_reference    |
| signature        |
| tcphdr           |
| udphdr           |
+------------------+
23 rows in set (0.00 sec)

mysql> quit
Bye
machine1# exit
machine1# exit

Script done on Wed Apr 21 18:55:33 2004

/etc/snort/snort.conf(default from install with comments removed)
==========================

var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252 
preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
output database: alert, mysql, user=fooman password=chu dbname=snort host=localhost
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
--------------------------------------------
/var/log/messages
==================================
Apr 21 14:00:01 machine1 newsyslog[2947]: logfile turned over
Apr 21 14:00:01 machine1 syslogd: restart
Apr 21 14:04:19 machine1 snort: Final Flow Statistics 
Apr 21 14:04:19 machine1 snort: Snort exiting 
Apr 21 14:05:14 machine1 snort: OpenPcap() device bridge0 network lookup:  	bridge0: no IPv4 address assigned 
Apr 21 14:05:14 machine1 snort: Initializing daemon mode 
Apr 21 14:05:14 machine1 snort: PID path stat checked out ok, PID path set to /var/run/ 
Apr 21 14:05:14 machine1 snort: Writing PID "11540" to file "/var/run//snort_bridge0.pid" 
Apr 21 14:05:14 machine1 snort: ,-----------[Flow Config]---------------------- 
Apr 21 14:05:14 machine1 snort: | Stats Interval:  0 
Apr 21 14:05:14 machine1 snort: | Hash Method:     2 
Apr 21 14:05:14 machine1 snort: | Memcap:          10485760 
Apr 21 14:05:14 machine1 snort: | Rows  :          4099 
Apr 21 14:05:14 machine1 snort: | Overhead Bytes:  16400(%0.16) 
Apr 21 14:05:14 machine1 snort: `---------------------------------------------- 
Apr 21 14:05:14 machine1 snort: HttpInspect Config: 
Apr 21 14:05:14 machine1 snort:     GLOBAL CONFIG 
Apr 21 14:05:14 machine1 snort:       Max Pipeline Requests:    0 
Apr 21 14:05:14 machine1 snort:       Inspection Type:          STATELESS 
Apr 21 14:05:14 machine1 snort:       Detect Proxy Usage:       NO 
Apr 21 14:05:14 machine1 snort:       IIS Unicode Map Filename: ./unicode.map 
Apr 21 14:05:14 machine1 snort:       IIS Unicode Map Codepage: 1252 
Apr 21 14:05:14 machine1 snort:     DEFAULT SERVER CONFIG: 
Apr 21 14:05:14 machine1 snort:       Ports: 
Apr 21 14:05:14 machine1 snort: 80 
Apr 21 14:05:14 machine1 snort: 8080 
Apr 21 14:05:14 machine1 snort: 8180 
Apr 21 14:05:14 machine1 snort:  
Apr 21 14:05:14 machine1 snort:       Flow Depth: 300 
Apr 21 14:05:14 machine1 snort:       Max Chunk Length: 500000 
Apr 21 14:05:14 machine1 snort:       Inspect Pipeline Requests: YES 
Apr 21 14:05:14 machine1 snort:       URI Discovery Strict Mode: NO 
Apr 21 14:05:14 machine1 snort:       Allow Proxy Usage: NO 
Apr 21 14:05:14 machine1 snort:       Disable Alerting: NO 
Apr 21 14:05:14 machine1 snort:       Oversize Dir Length: 500 
Apr 21 14:05:14 machine1 snort:       Only inspect URI: NO 
Apr 21 14:05:14 machine1 snort:       Ascii: YES alert: NO 
Apr 21 14:05:14 machine1 snort:       Double Decoding: YES alert: YES 
Apr 21 14:05:14 machine1 snort:       %U Encoding: YES alert: YES 
Apr 21 14:05:14 machine1 snort:       Bare Byte: YES alert: YES 
Apr 21 14:05:14 machine1 snort:       Base36: OFF 
Apr 21 14:05:14 machine1 snort:       UTF 8: OFF 
Apr 21 14:05:14 machine1 snort:       IIS Unicode: YES alert: YES 
Apr 21 14:05:14 machine1 snort:       Multiple Slash: YES alert: NO 
Apr 21 14:05:14 machine1 snort:       IIS Backslash: YES alert: NO 
Apr 21 14:05:14 machine1 snort:       Directory: YES alert: NO 
Apr 21 14:05:14 machine1 snort:       Apache WhiteSpace: YES alert: YES 
Apr 21 14:05:14 machine1 snort:       IIS Delimiter: YES alert: YES 
Apr 21 14:05:14 machine1 snort:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG 
Apr 21 14:05:14 machine1 snort:       Non-RFC Compliant Characters: 
Apr 21 14:05:14 machine1 snort: NONE
Apr 21 14:05:14 machine1 snort:  
Apr 21 14:05:14 machine1 snort: rpc_decode arguments: 
Apr 21 14:05:14 machine1 snort:     Ports to decode RPC on: 111 32771  
Apr 21 14:05:14 machine1 snort:     alert_fragments: INACTIVE 
Apr 21 14:05:14 machine1 snort:     alert_large_fragments: ACTIVE 
Apr 21 14:05:14 machine1 snort:     alert_incomplete: ACTIVE 
Apr 21 14:05:14 machine1 snort:     alert_multiple_requests: ACTIVE 
Apr 21 14:05:14 machine1 snort: telnet_decode arguments: 
Apr 21 14:05:14 machine1 snort:     Ports to decode telnet on: 21 23 25 119  
Apr 21 14:05:14 machine1 snort:  Snort sucessfully loaded all rules and checked all rule chains! 
Apr 21 14:05:14 machine1 snort: Final Flow Statistics 
Apr 21 14:05:14 machine1 snort: Snort exiting 
Apr 21 15:00:01 machine1 syslogd: restart
Apr 21 15:01:32 machine1 snort: OpenPcap() device bridge0 network lookup:  	bridge0: no IPv4 address assigned 
Apr 21 15:01:32 machine1 snort: Initializing daemon mode 
Apr 21 15:01:32 machine1 snort: PID path stat checked out ok, PID path set to /var/run/ 
Apr 21 15:01:32 machine1 snort: Writing PID "14219" to file "/var/run//snort_bridge0.pid" 
Apr 21 15:01:32 machine1 snort: ,-----------[Flow Config]---------------------- 
Apr 21 15:01:32 machine1 snort: | Stats Interval:  0 
Apr 21 15:01:32 machine1 snort: | Hash Method:     2 
Apr 21 15:01:32 machine1 snort: | Memcap:          10485760 
Apr 21 15:01:32 machine1 snort: | Rows  :          4099 
Apr 21 15:01:32 machine1 snort: | Overhead Bytes:  16400(%0.16) 
Apr 21 15:01:32 machine1 snort: `---------------------------------------------- 
Apr 21 15:01:32 machine1 snort: HttpInspect Config: 
Apr 21 15:01:32 machine1 snort:     GLOBAL CONFIG 
Apr 21 15:01:32 machine1 snort:       Max Pipeline Requests:    0 
Apr 21 15:01:32 machine1 snort:       Inspection Type:          STATELESS 
Apr 21 15:01:32 machine1 snort:       Detect Proxy Usage:       NO 
Apr 21 15:01:32 machine1 snort:       IIS Unicode Map Filename: /etc/snort/unicode.map 
Apr 21 15:01:32 machine1 snort:       IIS Unicode Map Codepage: 1252 
Apr 21 15:01:32 machine1 snort:     DEFAULT SERVER CONFIG: 
Apr 21 15:01:32 machine1 snort:       Ports: 
Apr 21 15:01:32 machine1 snort: 80 
Apr 21 15:01:32 machine1 snort: 8080 
Apr 21 15:01:32 machine1 snort: 8180 
Apr 21 15:01:32 machine1 snort:  
Apr 21 15:01:32 machine1 snort:       Flow Depth: 300 
Apr 21 15:01:32 machine1 snort:       Max Chunk Length: 500000 
Apr 21 15:01:32 machine1 snort:       Inspect Pipeline Requests: YES 
Apr 21 15:01:32 machine1 snort:       URI Discovery Strict Mode: NO 
Apr 21 15:01:32 machine1 snort:       Allow Proxy Usage: NO 
Apr 21 15:01:32 machine1 snort:       Disable Alerting: NO 
Apr 21 15:01:32 machine1 snort:       Oversize Dir Length: 500 
Apr 21 15:01:32 machine1 snort:       Only inspect URI: NO 
Apr 21 15:01:32 machine1 snort:       Ascii: YES alert: NO 
Apr 21 15:01:32 machine1 snort:       Double Decoding: YES alert: YES 
Apr 21 15:01:32 machine1 snort:       %U Encoding: YES alert: YES 
Apr 21 15:01:32 machine1 snort:       Bare Byte: YES alert: YES 
Apr 21 15:01:32 machine1 snort:       Base36: OFF 
Apr 21 15:01:32 machine1 snort:       UTF 8: OFF 
Apr 21 15:01:32 machine1 snort:       IIS Unicode: YES alert: YES 
Apr 21 15:01:32 machine1 snort:       Multiple Slash: YES alert: NO 
Apr 21 15:01:32 machine1 snort:       IIS Backslash: YES alert: NO 
Apr 21 15:01:32 machine1 snort:       Directory: YES alert: NO 
Apr 21 15:01:32 machine1 snort:       Apache WhiteSpace: YES alert: YES 
Apr 21 15:01:32 machine1 snort:       IIS Delimiter: YES alert: YES 
Apr 21 15:01:32 machine1 snort:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG 
Apr 21 15:01:32 machine1 snort:       Non-RFC Compliant Characters: 
Apr 21 15:01:32 machine1 snort: NONE
Apr 21 15:01:32 machine1 snort:  
Apr 21 15:01:32 machine1 snort: rpc_decode arguments: 
Apr 21 15:01:32 machine1 snort:     Ports to decode RPC on: 111 32771  
Apr 21 15:01:32 machine1 snort:     alert_fragments: INACTIVE 
Apr 21 15:01:32 machine1 snort:     alert_large_fragments: ACTIVE 
Apr 21 15:01:32 machine1 snort:     alert_incomplete: ACTIVE 
Apr 21 15:01:32 machine1 snort:     alert_multiple_requests: ACTIVE 
Apr 21 15:01:32 machine1 snort: telnet_decode arguments: 
Apr 21 15:01:32 machine1 snort:     Ports to decode telnet on: 21 23 25 119  
Apr 21 15:01:32 machine1 snort: Snort initialization completed successfully 
Apr 21 18:20:43 machine1 snort: Final Flow Statistics 
Apr 21 18:20:43 machine1 snort: Snort exiting 
Apr 21 19:11:07 machine1 login: 1 LOGIN FAILURE ON ttyC0
Apr 21 19:13:24 machine1 login: 1 LOGIN FAILURE ON ttyC0
Apr 21 20:00:01 machine1 syslogd: restart
Apr 21 20:47:40 machine1 login: 1 LOGIN FAILURE ON ttyC0




More information about the Snort-users mailing list