[Snort-users] Snort Mysql Acid Combo

Martin Olsson elof at ...6680...
Wed Feb 4 03:51:11 EST 2004


Seems like you've missed an equal sign (=) in your port statement.

output database:  log, mysql, dbname=snort user=root password=root
host=localhost port 3306 detail=full

port=3306


Might be the problem.

/Martin

On Wed, 4 Feb 2004, Sam Osuala wrote:

> Martin,
>
> Here's the output from snort -T -c /etc/snort/snort.conf. I/v also included
> my snort.conf at the bottom.
>
> ============================================================================
> ======
> Initializing Preprocessors!
> Initializing Plug-ins!
> database: compiled support for ( mysql )
> database: configured to use mysql
> database: database name = snort
> database:          user = root
> database: password is set
> database:          host = localhost
> database:          port = full
> database:   sensor name = 10.0.0.248
> database:     sensor id = 1
> database: schema version = 106
> database: using the "log" facility
> ->activation->dynamic->alert->pass->log
> database: Closing connection to database "snort"
>
> ============================================================================
> ======
>
> My snort.conf file is.........................
>
> ======================================================================
> var HOME_NET 10.0.0.0/24
> # Set up the external network addresses as well.
> # A good start may be "any"
> var EXTERNAL_NET any
> # List of DNS servers on your network
> var DNS_SERVERS $HOME_NET
> # List of SMTP servers on your network
> var SMTP_SERVERS $HOME_NET
> # List of web servers on your network
> var HTTP_SERVERS $HOME_NET
> # List of sql servers on your network
> var SQL_SERVERS $HOME_NET
> # List of telnet servers on your network
> var TELNET_SERVERS $HOME_NET
> # Ports you run web servers on
> var HTTP_PORTS 80
> # Ports you want to look for SHELLCODE on.
> var SHELLCODE_PORTS !80
>
> # Ports you do oracle attacks on
> var ORACLE_PORTS 1521
>
> var AIM_SERVERS
> [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
> 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
>
> # Path to your rules files (this can be a relative path)
> var RULE_PATH /etc/snort
>
> preprocessor frag2
>
> preprocessor stream4: detect_scans, disable_evasion_alerts
>
> preprocessor stream4_reassemble
>
> preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
> iis_flip_slash full_whitespace
>
> preprocessor rpc_decode: 111 32771
>
> preprocessor bo
>
> preprocessor telnet_decode
>
> output database:  log, mysql, dbname=snort user=root password=root
> host=localhost port 3306 detail=full
>
> include classification.config
>
> include reference.config
>
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> include $RULE_PATH/tftp.rules
>
> include $RULE_PATH/web-cgi.rules
> include $RULE_PATH/web-coldfusion.rules
> include $RULE_PATH/web-iis.rules
> include $RULE_PATH/web-frontpage.rules
> include $RULE_PATH/web-misc.rules
> include $RULE_PATH/web-client.rules
> include $RULE_PATH/web-php.rules
>
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
>
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/imap.rules
> include $RULE_PATH/pop2.rules
> include $RULE_PATH/pop3.rules
>
> include $RULE_PATH/nntp.rules
> include $RULE_PATH/other-ids.rules
> include $RULE_PATH/experimental.rules
> include $RULE_PATH/local.rules
> =======================================================================
>
>
> Thanks in advance
>
> Sam
>
> ----- Original Message -----
> From: "Martin Olsson" <elof at ...6680...>
> To: "Sam Osuala" <sam.osuala at ...11137...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Wednesday, February 04, 2004 11:24 AM
> Subject: Re: [Snort-users] Snort Mysql Acid Combo
>
>
> >
> > On Wed, 4 Feb 2004, Sam Osuala wrote:
> > > 1] Redhat Linux 9.2
> > > 2] Snort 2.0.6
> > > 3] Mysql 4.0.17
> > > 4] Acid 0.9.6
> > > 5] php 4.3.4
> > > 6] zlib-1.1.4
> > > 7] libpcap-0.7.2
> > > 8] Apache 2.0.48 (not the one that came with the Linux )
> > > 9] jgraph 1.14
> > > 10] adodb 405
> > > These are all installed in the Linux box above. The issue is that the
> mysql is not getting any logs in the database. If I start my snort with
> "snort -dvC" I get the alerts on the screen. What could be the problem. Do I
> have to keep the components in different machines?
> >
> > First run snort in selftest mode (-T) to see if you get any clues there.
> > You should see a section like this:
> > database: compiled support for ( mysql )
> > database: configured to use mysql
> > database:          user = foo
> > database: password is set
> > database: database name = gazonk
> > database:          host = 10.20.30.40
> > database:   sensor name = bar
> > database:     sensor id = 1
> > database: schema version = 106
> > database: using the "log" facility
> >
> > /Martin
> >
>
>





More information about the Snort-users mailing list