[Snort-users] My BASE did not have any alerts

Adam Kliarsky 360air at ...5068...
Mon Apr 18 21:01:21 EDT 2005


Yes, when you login to mysql, use the user specified in the snort config
file, grab the snort db (if snort is the db listed in
snort.conf/base_conf.php) and display the tables to verify everything is
setup:
[user at ...274... ~]$mysql -u snort -p <password>
 mysql>use snort;
 mysql>show tables;

Any luck after running snort (anything showing up on the main console?)
Aslo, Patrick Harper has posted some good papers w/ Snort/MySQL/BASE etc -
you may find these useful
you can find the latest here - http://www.internetsecurityguru.com



-----Original Message-----
From: mr leokenzie [mailto:tenminustwo at ...125...] 
Sent: Monday, April 18, 2005 8:13 PM
To: 360air at ...5068...
Subject: RE: [Snort-users] My BASE did not have any alerts

I can run  Snort but what do you mean by "did you verify that you can login
to MySQL with the user supplied in snort.conf?" i will just  do a mysql -p
and enter my password to go to the mysql> prompt.
Is that correct?

After all that is done will nessus's scan show some alert stats?
Thanks alot

>From: "Adam Kliarsky" <360air at ...5068...>
>Reply-To: <360air at ...5068...>
>To: "'mr leokenzie'" 
><tenminustwo at ...125...>,<snort-users at lists.sourceforge.net>
>Subject: RE: [Snort-users] My BASE did not have any alerts
>Date: Sun, 17 Apr 2005 09:19:36 -0700
>
>Yeah, Nessus should produce all sorts of red on your base console Ok, 
>assuming you're on a *nix system, do the following
>
>1. check for the running snort process ("ps -aux | grep snort") You 
>should see two entries if snort is running (one for the process, and 
>one for your ps query) If snort is not running, start it up ("snort -c 
><path to snort.conf> -i
><interface>")
>
>2. packet dump on the same interface to make sure libpcap is working 
>and capturing packets
>  - "snort -dv -i <interface>" - this will display the packets to the 
>screen so you can check
>
>3. check the logs to see if you are getting mysql login errors or other 
>similar
>  - (/var/log/messages)
>
>4. did you verify that you can login to MySQL with the user supplied in 
>snort.conf?
>
>5. check base_conf.php:
>  - $Dbtype = "mysql";
>  - $alert_dbname = "snort";
>  - $alert_host = "localhost";
>  - $alert_user = "snort";
>  - $alert_password = "your own password";
>
>Let me know if that produces anything -
>
>Adam
>
>-----Original Message-----
>From: mr leokenzie [mailto:tenminustwo at ...125...]
>Sent: Sunday, April 17, 2005 8:38 AM
>To: 360air at ...5068...
>Subject: RE: [Snort-users] My BASE did not have any alerts
>
>1. im not sure whether i started running snort, but i did run the 
>database 2. I have not check whether theres error 3. output plugin is 
>configured as follows (output database: log, mysql, user=snort 
>password=myown password dbname=snort host=localhost) 4. what do you 
>mean by dump on the interface to ensure it receives the packet
>
>When i scan nessus, does base actually shows the results and stats?
>Thanks
>
> >From: "Adam Kliarsky" <360air at ...5068...>
> >Reply-To: <360air at ...5068...>
> >To: "'mr leokenzie'"
> ><tenminustwo at ...125...>,<snort-users at lists.sourceforge.net>
> >Subject: RE: [Snort-users] My BASE did not have any alerts
> >Date: Sat, 16 Apr 2005 18:37:26 -0700
> >
> >This could be related to several things - can you describe your 
> >system (platform, db, etc)?
> >- did you verify snort & database processes are running? Did you 
> >restart them?
> >- do you see any errors (/var/log/messages)
> >- is the output plugin in snort.conf configured properly
> >  (output database: log, mysql, user=??? password=??? dbname=???
> >host=localhost)
> >- did you dump on the interface to ensure you're receiving packets?
> >
> >
> >-----Original Message-----
> >From: snort-users-admin at lists.sourceforge.net
> >[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of mr 
> >leokenzie
> >Sent: Friday, April 15, 2005 12:33 AM
> >To: snort-users at lists.sourceforge.net
> >Subject: [Snort-users] My BASE did not have any alerts
> >
> >What have I done wrong?
> >I did a scan with nessus but when i go to my BASE website it did not 
> >display anything.
> >Why is that?
> >I make it focus on port 80 and target it at my own ip address. Please 
> >kindly Help.
> >Thanks
> >
> >_________________________________________________________________
> >Don't just search. Find. Check out the new MSN Search!
> >http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> >
> >
> >
> >-------------------------------------------------------
> >SF email is sponsored by - The IT Product Guide Read honest & candid 
> >reviews on hundreds of IT Products from real users.
> >Discover which products truly live up to the hype. Start reading now.
> >http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >-------------------------------------------------------
> >SF email is sponsored by - The IT Product Guide Read honest & candid 
> >reviews on hundreds of IT Products from real users.
> >Discover which products truly live up to the hype. Start reading now.
> >http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>_________________________________________________________________
>Is your PC infected? Get a FREE online computer virus scan from McAfeeR 
>Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
>
>-------------------------------------------------------
>SF email is sponsored by - The IT Product Guide Read honest & candid 
>reviews on hundreds of IT Products from real users.
>Discover which products truly live up to the hype. Start reading now.
>http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement





More information about the Snort-users mailing list