[Snort-users] Snort Mysql Acid Combo

Sam Osuala sam.osuala at ...11137...
Wed Feb 4 03:44:02 EST 2004


Martin,

Here's the output from snort -T -c /etc/snort/snort.conf. I/v also included
my snort.conf at the bottom.

============================================================================
======
Initializing Preprocessors!
Initializing Plug-ins!
database: compiled support for ( mysql )
database: configured to use mysql
database: database name = snort
database:          user = root
database: password is set
database:          host = localhost
database:          port = full
database:   sensor name = 10.0.0.248
database:     sensor id = 1
database: schema version = 106
database: using the "log" facility
->activation->dynamic->alert->pass->log
database: Closing connection to database "snort"

============================================================================
======

My snort.conf file is.........................

======================================================================
var HOME_NET 10.0.0.0/24
# Set up the external network addresses as well.
# A good start may be "any"
var EXTERNAL_NET any
# List of DNS servers on your network
var DNS_SERVERS $HOME_NET
# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
# List of web servers on your network
var HTTP_SERVERS $HOME_NET
# List of sql servers on your network
var SQL_SERVERS $HOME_NET
# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET
# Ports you run web servers on
var HTTP_PORTS 80
# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort

preprocessor frag2

preprocessor stream4: detect_scans, disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor telnet_decode

output database:  log, mysql, dbname=snort user=root password=root
host=localhost port 3306 detail=full

include classification.config

include reference.config

include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules
=======================================================================


Thanks in advance

Sam

----- Original Message ----- 
From: "Martin Olsson" <elof at ...6680...>
To: "Sam Osuala" <sam.osuala at ...11137...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, February 04, 2004 11:24 AM
Subject: Re: [Snort-users] Snort Mysql Acid Combo


>
> On Wed, 4 Feb 2004, Sam Osuala wrote:
> > 1] Redhat Linux 9.2
> > 2] Snort 2.0.6
> > 3] Mysql 4.0.17
> > 4] Acid 0.9.6
> > 5] php 4.3.4
> > 6] zlib-1.1.4
> > 7] libpcap-0.7.2
> > 8] Apache 2.0.48 (not the one that came with the Linux )
> > 9] jgraph 1.14
> > 10] adodb 405
> > These are all installed in the Linux box above. The issue is that the
mysql is not getting any logs in the database. If I start my snort with
"snort -dvC" I get the alerts on the screen. What could be the problem. Do I
have to keep the components in different machines?
>
> First run snort in selftest mode (-T) to see if you get any clues there.
> You should see a section like this:
> database: compiled support for ( mysql )
> database: configured to use mysql
> database:          user = foo
> database: password is set
> database: database name = gazonk
> database:          host = 10.20.30.40
> database:   sensor name = bar
> database:     sensor id = 1
> database: schema version = 106
> database: using the "log" facility
>
> /Martin
>






More information about the Snort-users mailing list