[Snort-users] Snort Mysql Acid Combo

Sam Osuala sam.osuala at ...11137...
Wed Feb 4 05:32:38 EST 2004


Martin,

Well I've corrected that, and now hope yet. Thanks

Sam


----- Original Message ----- 
From: "Martin Olsson" <elof at ...6680...>
To: "Sam Osuala" <sam.osuala at ...11137...>
Cc: "snort-users mailinglist" <snort-users at lists.sourceforge.net>
Sent: Wednesday, February 04, 2004 12:50 PM
Subject: Re: [Snort-users] Snort Mysql Acid Combo


>
> Seems like you've missed an equal sign (=) in your port statement.
>
> output database:  log, mysql, dbname=snort user=root password=root
> host=localhost port 3306 detail=full
>
> port=3306
>
>
> Might be the problem.
>
> /Martin
>
> On Wed, 4 Feb 2004, Sam Osuala wrote:
>
> > Martin,
> >
> > Here's the output from snort -T -c /etc/snort/snort.conf. I/v also
included
> > my snort.conf at the bottom.
> >
> >
============================================================================
> > ======
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > database: compiled support for ( mysql )
> > database: configured to use mysql
> > database: database name = snort
> > database:          user = root
> > database: password is set
> > database:          host = localhost
> > database:          port = full
> > database:   sensor name = 10.0.0.248
> > database:     sensor id = 1
> > database: schema version = 106
> > database: using the "log" facility
> > ->activation->dynamic->alert->pass->log
> > database: Closing connection to database "snort"
> >
> >
============================================================================
> > ======
> >
> > My snort.conf file is.........................
> >
> > ======================================================================
> > var HOME_NET 10.0.0.0/24
> > # Set up the external network addresses as well.
> > # A good start may be "any"
> > var EXTERNAL_NET any
> > # List of DNS servers on your network
> > var DNS_SERVERS $HOME_NET
> > # List of SMTP servers on your network
> > var SMTP_SERVERS $HOME_NET
> > # List of web servers on your network
> > var HTTP_SERVERS $HOME_NET
> > # List of sql servers on your network
> > var SQL_SERVERS $HOME_NET
> > # List of telnet servers on your network
> > var TELNET_SERVERS $HOME_NET
> > # Ports you run web servers on
> > var HTTP_PORTS 80
> > # Ports you want to look for SHELLCODE on.
> > var SHELLCODE_PORTS !80
> >
> > # Ports you do oracle attacks on
> > var ORACLE_PORTS 1521
> >
> > var AIM_SERVERS
> >
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
> > 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
> >
> > # Path to your rules files (this can be a relative path)
> > var RULE_PATH /etc/snort
> >
> > preprocessor frag2
> >
> > preprocessor stream4: detect_scans, disable_evasion_alerts
> >
> > preprocessor stream4_reassemble
> >
> > preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
> > iis_flip_slash full_whitespace
> >
> > preprocessor rpc_decode: 111 32771
> >
> > preprocessor bo
> >
> > preprocessor telnet_decode
> >
> > output database:  log, mysql, dbname=snort user=root password=root
> > host=localhost port 3306 detail=full
> >
> > include classification.config
> >
> > include reference.config
> >
> > include $RULE_PATH/bad-traffic.rules
> > include $RULE_PATH/exploit.rules
> > include $RULE_PATH/scan.rules
> > include $RULE_PATH/finger.rules
> > include $RULE_PATH/ftp.rules
> > include $RULE_PATH/telnet.rules
> > include $RULE_PATH/rpc.rules
> > include $RULE_PATH/rservices.rules
> > include $RULE_PATH/dos.rules
> > include $RULE_PATH/ddos.rules
> > include $RULE_PATH/dns.rules
> > include $RULE_PATH/tftp.rules
> >
> > include $RULE_PATH/web-cgi.rules
> > include $RULE_PATH/web-coldfusion.rules
> > include $RULE_PATH/web-iis.rules
> > include $RULE_PATH/web-frontpage.rules
> > include $RULE_PATH/web-misc.rules
> > include $RULE_PATH/web-client.rules
> > include $RULE_PATH/web-php.rules
> >
> > include $RULE_PATH/sql.rules
> > include $RULE_PATH/x11.rules
> > include $RULE_PATH/icmp.rules
> > include $RULE_PATH/netbios.rules
> > include $RULE_PATH/misc.rules
> > include $RULE_PATH/attack-responses.rules
> > include $RULE_PATH/oracle.rules
> > include $RULE_PATH/mysql.rules
> > include $RULE_PATH/snmp.rules
> >
> > include $RULE_PATH/smtp.rules
> > include $RULE_PATH/imap.rules
> > include $RULE_PATH/pop2.rules
> > include $RULE_PATH/pop3.rules
> >
> > include $RULE_PATH/nntp.rules
> > include $RULE_PATH/other-ids.rules
> > include $RULE_PATH/experimental.rules
> > include $RULE_PATH/local.rules
> > =======================================================================
> >
> >
> > Thanks in advance
> >
> > Sam
> >
> > ----- Original Message -----
> > From: "Martin Olsson" <elof at ...6680...>
> > To: "Sam Osuala" <sam.osuala at ...11137...>
> > Cc: <snort-users at lists.sourceforge.net>
> > Sent: Wednesday, February 04, 2004 11:24 AM
> > Subject: Re: [Snort-users] Snort Mysql Acid Combo
> >
> >
> > >
> > > On Wed, 4 Feb 2004, Sam Osuala wrote:
> > > > 1] Redhat Linux 9.2
> > > > 2] Snort 2.0.6
> > > > 3] Mysql 4.0.17
> > > > 4] Acid 0.9.6
> > > > 5] php 4.3.4
> > > > 6] zlib-1.1.4
> > > > 7] libpcap-0.7.2
> > > > 8] Apache 2.0.48 (not the one that came with the Linux )
> > > > 9] jgraph 1.14
> > > > 10] adodb 405
> > > > These are all installed in the Linux box above. The issue is that
the
> > mysql is not getting any logs in the database. If I start my snort with
> > "snort -dvC" I get the alerts on the screen. What could be the problem.
Do I
> > have to keep the components in different machines?
> > >
> > > First run snort in selftest mode (-T) to see if you get any clues
there.
> > > You should see a section like this:
> > > database: compiled support for ( mysql )
> > > database: configured to use mysql
> > > database:          user = foo
> > > database: password is set
> > > database: database name = gazonk
> > > database:          host = 10.20.30.40
> > > database:   sensor name = bar
> > > database:     sensor id = 1
> > > database: schema version = 106
> > > database: using the "log" facility
> > >
> > > /Martin
> > >
> >
> >
>






More information about the Snort-users mailing list