[Snort-users] Snort Mysql Acid Combo

Josh Berry josh.berry at ...10221...
Wed Feb 4 10:38:02 EST 2004


How is your init script starting Snort?  If it is using the -A
(full/fast/etc) switch then it will override your mysql configuration in
the snort.conf file.

> Martin,
>
> Well I've corrected that, and now hope yet. Thanks
>
> Sam
>
>
> ----- Original Message -----
> From: "Martin Olsson" <elof at ...6680...>
> To: "Sam Osuala" <sam.osuala at ...11137...>
> Cc: "snort-users mailinglist" <snort-users at lists.sourceforge.net>
> Sent: Wednesday, February 04, 2004 12:50 PM
> Subject: Re: [Snort-users] Snort Mysql Acid Combo
>
>
>>
>> Seems like you've missed an equal sign (=) in your port statement.
>>
>> output database:  log, mysql, dbname=snort user=root password=root
>> host=localhost port 3306 detail=full
>>
>> port=3306
>>
>>
>> Might be the problem.
>>
>> /Martin
>>
>> On Wed, 4 Feb 2004, Sam Osuala wrote:
>>
>> > Martin,
>> >
>> > Here's the output from snort -T -c /etc/snort/snort.conf. I/v also
> included
>> > my snort.conf at the bottom.
>> >
>> >
> ============================================================================
>> > ======
>> > Initializing Preprocessors!
>> > Initializing Plug-ins!
>> > database: compiled support for ( mysql )
>> > database: configured to use mysql
>> > database: database name = snort
>> > database:          user = root
>> > database: password is set
>> > database:          host = localhost
>> > database:          port = full
>> > database:   sensor name = 10.0.0.248
>> > database:     sensor id = 1
>> > database: schema version = 106
>> > database: using the "log" facility
>> > ->activation->dynamic->alert->pass->log
>> > database: Closing connection to database "snort"
>> >
>> >
> ============================================================================
>> > ======
>> >
>> > My snort.conf file is.........................
>> >
>> > ======================================================================
>> > var HOME_NET 10.0.0.0/24
>> > # Set up the external network addresses as well.
>> > # A good start may be "any"
>> > var EXTERNAL_NET any
>> > # List of DNS servers on your network
>> > var DNS_SERVERS $HOME_NET
>> > # List of SMTP servers on your network
>> > var SMTP_SERVERS $HOME_NET
>> > # List of web servers on your network
>> > var HTTP_SERVERS $HOME_NET
>> > # List of sql servers on your network
>> > var SQL_SERVERS $HOME_NET
>> > # List of telnet servers on your network
>> > var TELNET_SERVERS $HOME_NET
>> > # Ports you run web servers on
>> > var HTTP_PORTS 80
>> > # Ports you want to look for SHELLCODE on.
>> > var SHELLCODE_PORTS !80
>> >
>> > # Ports you do oracle attacks on
>> > var ORACLE_PORTS 1521
>> >
>> > var AIM_SERVERS
>> >
> [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.1
>> > 2.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
>> >
>> > # Path to your rules files (this can be a relative path)
>> > var RULE_PATH /etc/snort
>> >
>> > preprocessor frag2
>> >
>> > preprocessor stream4: detect_scans, disable_evasion_alerts
>> >
>> > preprocessor stream4_reassemble
>> >
>> > preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
>> > iis_flip_slash full_whitespace
>> >
>> > preprocessor rpc_decode: 111 32771
>> >
>> > preprocessor bo
>> >
>> > preprocessor telnet_decode
>> >
>> > output database:  log, mysql, dbname=snort user=root password=root
>> > host=localhost port 3306 detail=full
>> >
>> > include classification.config
>> >
>> > include reference.config
>> >
>> > include $RULE_PATH/bad-traffic.rules
>> > include $RULE_PATH/exploit.rules
>> > include $RULE_PATH/scan.rules
>> > include $RULE_PATH/finger.rules
>> > include $RULE_PATH/ftp.rules
>> > include $RULE_PATH/telnet.rules
>> > include $RULE_PATH/rpc.rules
>> > include $RULE_PATH/rservices.rules
>> > include $RULE_PATH/dos.rules
>> > include $RULE_PATH/ddos.rules
>> > include $RULE_PATH/dns.rules
>> > include $RULE_PATH/tftp.rules
>> >
>> > include $RULE_PATH/web-cgi.rules
>> > include $RULE_PATH/web-coldfusion.rules
>> > include $RULE_PATH/web-iis.rules
>> > include $RULE_PATH/web-frontpage.rules
>> > include $RULE_PATH/web-misc.rules
>> > include $RULE_PATH/web-client.rules
>> > include $RULE_PATH/web-php.rules
>> >
>> > include $RULE_PATH/sql.rules
>> > include $RULE_PATH/x11.rules
>> > include $RULE_PATH/icmp.rules
>> > include $RULE_PATH/netbios.rules
>> > include $RULE_PATH/misc.rules
>> > include $RULE_PATH/attack-responses.rules
>> > include $RULE_PATH/oracle.rules
>> > include $RULE_PATH/mysql.rules
>> > include $RULE_PATH/snmp.rules
>> >
>> > include $RULE_PATH/smtp.rules
>> > include $RULE_PATH/imap.rules
>> > include $RULE_PATH/pop2.rules
>> > include $RULE_PATH/pop3.rules
>> >
>> > include $RULE_PATH/nntp.rules
>> > include $RULE_PATH/other-ids.rules
>> > include $RULE_PATH/experimental.rules
>> > include $RULE_PATH/local.rules
>> > =======================================================================
>> >
>> >
>> > Thanks in advance
>> >
>> > Sam
>> >
>> > ----- Original Message -----
>> > From: "Martin Olsson" <elof at ...6680...>
>> > To: "Sam Osuala" <sam.osuala at ...11137...>
>> > Cc: <snort-users at lists.sourceforge.net>
>> > Sent: Wednesday, February 04, 2004 11:24 AM
>> > Subject: Re: [Snort-users] Snort Mysql Acid Combo
>> >
>> >
>> > >
>> > > On Wed, 4 Feb 2004, Sam Osuala wrote:
>> > > > 1] Redhat Linux 9.2
>> > > > 2] Snort 2.0.6
>> > > > 3] Mysql 4.0.17
>> > > > 4] Acid 0.9.6
>> > > > 5] php 4.3.4
>> > > > 6] zlib-1.1.4
>> > > > 7] libpcap-0.7.2
>> > > > 8] Apache 2.0.48 (not the one that came with the Linux )
>> > > > 9] jgraph 1.14
>> > > > 10] adodb 405
>> > > > These are all installed in the Linux box above. The issue is that
> the
>> > mysql is not getting any logs in the database. If I start my snort
>> with
>> > "snort -dvC" I get the alerts on the screen. What could be the
>> problem.
> Do I
>> > have to keep the components in different machines?
>> > >
>> > > First run snort in selftest mode (-T) to see if you get any clues
> there.
>> > > You should see a section like this:
>> > > database: compiled support for ( mysql )
>> > > database: configured to use mysql
>> > > database:          user = foo
>> > > database: password is set
>> > > database: database name = gazonk
>> > > database:          host = 10.20.30.40
>> > > database:   sensor name = bar
>> > > database:     sensor id = 1
>> > > database: schema version = 106
>> > > database: using the "log" facility
>> > >
>> > > /Martin
>> > >
>> >
>> >
>>
>
>
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


Thanks,
Josh Berry, CISSP
CTO, VP of Product Development
LinkNet-Solutions
469-831-8543
josh.berry at ...10268...





More information about the Snort-users mailing list