[Snort-users] My BASE did not have any alerts

Adam Kliarsky 360air at ...5068...
Wed Apr 20 07:22:31 EDT 2005


 glad to hear you're seeing alerts now - 
as for the Nessus scan not showing up, what options are you setting? Try a
quick scan with Nmap in aggressive mode to see if that produces
anything...at least it would give a better idea of where the issue may be.

-----Original Message-----
From: mr leokenzie [mailto:tenminustwo at ...125...] 
Sent: Tuesday, April 19, 2005 11:04 PM
To: 360air at ...5068...
Subject: RE: [Snort-users] My BASE did not have any alerts

Yeaup.. Thanks to you i did manage to display some alerts in BASE when i did
a snort -c etc/snort/snort.conf -i eth0. But when i scan using nessus
nothing is being display in BASE. How come?
Thanks

>From: "Adam Kliarsky" <360air at ...5068...>
>Reply-To: <360air at ...5068...>
>To: "'mr leokenzie'" 
><tenminustwo at ...125...>,<snort-users at lists.sourceforge.net>
>Subject: RE: [Snort-users] My BASE did not have any alerts
>Date: Mon, 18 Apr 2005 21:01:17 -0700
>
>Yes, when you login to mysql, use the user specified in the snort 
>config file, grab the snort db (if snort is the db listed in
>snort.conf/base_conf.php) and display the tables to verify everything 
>is
>setup:
>[user at ...274... ~]$mysql -u snort -p <password>
>  mysql>use snort;
>  mysql>show tables;
>
>Any luck after running snort (anything showing up on the main console?) 
>Aslo, Patrick Harper has posted some good papers w/ Snort/MySQL/BASE 
>etc - you may find these useful you can find the latest here - 
>http://www.internetsecurityguru.com
>
>
>
>-----Original Message-----
>From: mr leokenzie [mailto:tenminustwo at ...125...]
>Sent: Monday, April 18, 2005 8:13 PM
>To: 360air at ...5068...
>Subject: RE: [Snort-users] My BASE did not have any alerts
>
>I can run  Snort but what do you mean by "did you verify that you can 
>login to MySQL with the user supplied in snort.conf?" i will just  do a 
>mysql -p and enter my password to go to the mysql> prompt.
>Is that correct?
>
>After all that is done will nessus's scan show some alert stats?
>Thanks alot
>
> >From: "Adam Kliarsky" <360air at ...5068...>
> >Reply-To: <360air at ...5068...>
> >To: "'mr leokenzie'"
> ><tenminustwo at ...125...>,<snort-users at lists.sourceforge.net>
> >Subject: RE: [Snort-users] My BASE did not have any alerts
> >Date: Sun, 17 Apr 2005 09:19:36 -0700
> >
> >Yeah, Nessus should produce all sorts of red on your base console Ok, 
> >assuming you're on a *nix system, do the following
> >
> >1. check for the running snort process ("ps -aux | grep snort") You 
> >should see two entries if snort is running (one for the process, and 
> >one for your ps query) If snort is not running, start it up ("snort 
> >-c <path to snort.conf> -i
> ><interface>")
> >
> >2. packet dump on the same interface to make sure libpcap is working 
> >and capturing packets
> >  - "snort -dv -i <interface>" - this will display the packets to the 
> >screen so you can check
> >
> >3. check the logs to see if you are getting mysql login errors or 
> >other similar
> >  - (/var/log/messages)
> >
> >4. did you verify that you can login to MySQL with the user supplied 
> >in snort.conf?
> >
> >5. check base_conf.php:
> >  - $Dbtype = "mysql";
> >  - $alert_dbname = "snort";
> >  - $alert_host = "localhost";
> >  - $alert_user = "snort";
> >  - $alert_password = "your own password";
> >
> >Let me know if that produces anything -
> >
> >Adam
> >
> >-----Original Message-----
> >From: mr leokenzie [mailto:tenminustwo at ...125...]
> >Sent: Sunday, April 17, 2005 8:38 AM
> >To: 360air at ...5068...
> >Subject: RE: [Snort-users] My BASE did not have any alerts
> >
> >1. im not sure whether i started running snort, but i did run the 
> >database 2. I have not check whether theres error 3. output plugin is 
> >configured as follows (output database: log, mysql, user=snort 
> >password=myown password dbname=snort host=localhost) 4. what do you 
> >mean by dump on the interface to ensure it receives the packet
> >
> >When i scan nessus, does base actually shows the results and stats?
> >Thanks
> >
> > >From: "Adam Kliarsky" <360air at ...5068...>
> > >Reply-To: <360air at ...5068...>
> > >To: "'mr leokenzie'"
> > ><tenminustwo at ...125...>,<snort-users at lists.sourceforge.net>
> > >Subject: RE: [Snort-users] My BASE did not have any alerts
> > >Date: Sat, 16 Apr 2005 18:37:26 -0700
> > >
> > >This could be related to several things - can you describe your 
> > >system (platform, db, etc)?
> > >- did you verify snort & database processes are running? Did you 
> > >restart them?
> > >- do you see any errors (/var/log/messages)
> > >- is the output plugin in snort.conf configured properly
> > >  (output database: log, mysql, user=??? password=??? dbname=???
> > >host=localhost)
> > >- did you dump on the interface to ensure you're receiving packets?
> > >
> > >
> > >-----Original Message-----
> > >From: snort-users-admin at lists.sourceforge.net
> > >[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of mr 
> > >leokenzie
> > >Sent: Friday, April 15, 2005 12:33 AM
> > >To: snort-users at lists.sourceforge.net
> > >Subject: [Snort-users] My BASE did not have any alerts
> > >
> > >What have I done wrong?
> > >I did a scan with nessus but when i go to my BASE website it did 
> > >not display anything.
> > >Why is that?
> > >I make it focus on port 80 and target it at my own ip address. 
> > >Please kindly Help.
> > >Thanks
> > >
> > >_________________________________________________________________
> > >Don't just search. Find. Check out the new MSN Search!
> > >http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> > >
> > >
> > >
> > >-------------------------------------------------------
> > >SF email is sponsored by - The IT Product Guide Read honest & 
> > >candid reviews on hundreds of IT Products from real users.
> > >Discover which products truly live up to the hype. Start reading now.
> > >http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > >_______________________________________________
> > >Snort-users mailing list
> > >Snort-users at lists.sourceforge.net
> > >Go to this URL to change user options or unsubscribe:
> > >https://lists.sourceforge.net/lists/listinfo/snort-users
> > >Snort-users list archive:
> > >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > >
> > >-------------------------------------------------------
> > >SF email is sponsored by - The IT Product Guide Read honest & 
> > >candid reviews on hundreds of IT Products from real users.
> > >Discover which products truly live up to the hype. Start reading now.
> > >http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > >_______________________________________________
> > >Snort-users mailing list
> > >Snort-users at lists.sourceforge.net
> > >Go to this URL to change user options or unsubscribe:
> > >https://lists.sourceforge.net/lists/listinfo/snort-users
> > >Snort-users list archive:
> > >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >_________________________________________________________________
> >Is your PC infected? Get a FREE online computer virus scan from 
> >McAfeeR Security. 
> >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >
> >
> >
> >-------------------------------------------------------
> >SF email is sponsored by - The IT Product Guide Read honest & candid 
> >reviews on hundreds of IT Products from real users.
> >Discover which products truly live up to the hype. Start reading now.
> >http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>_________________________________________________________________
>On the road to retirement? Check out MSN Life Events for advice on how 
>to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: New Crystal Reports XI.
>Version 11 adds new functionality designed to reduce time involved in 
>creating, integrating, and deploying reporting solutions. Free runtime 
>info, new features, or free trial, at: 
>http://www.businessobjects.com/devxi/728
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/





More information about the Snort-users mailing list