[Snort-users] output module bug in 2.4.3-RC3

Michael W Cocke cocke at ...13611...
Mon Jan 23 17:55:15 EST 2006


I took the advice in the docs and only configured for logs.  I did try
configuring for alerts previously and there was no difference.

Mike-


On Mon, 23 Jan 2006 20:44:52 -0500, you wrote:

>Do you see anything going to alert log file?
>
>Axton Grams
>
>
>On 1/23/06, Michael W Cocke <cocke at ...13611...> wrote:
>> Well, it seemed like a good idea, but that wasn't it. I stuck in an
>> accept (instead of queue) on that port, but no change.
>>
>> Mike-
>>
>>
>> On Mon, 23 Jan 2006 19:08:36 -0500, you wrote:
>>
>> >That would be my guess.  The best way to test would be to limit what
>> >you queue to not include the mysql traffic.
>> >
>> >Axton Grams
>> >
>> >
>> >On 1/23/06, Michael W Cocke <cocke at ...13611...> wrote:
>> >> To be honest, I have more faith in my ability to just forward
>> >> verything to the queue than to just try to seperate one thing out, but
>> >> you just gave me an interesting idea.  You mean snort _q might be
>> >> interfering with the mysql packets, which snort without -q isn'?
>> >>
>> >> Lemme go add an accept rule for that port.
>> >>
>> >> Mike-
>> >>
>> >>
>> >>
>> >> On Mon, 23 Jan 2006 18:12:03 -0500, you wrote:
>> >>
>> >> >What if you were to start with something simple in the iptables rules
>> >> >that sent packets to queue, like icmp only, or some unneeded service,
>> >> >like ftp or telnet.  This will ensure that the queuing will not
>> >> >interfere with writing to mysql and will give you a limited testbed in
>> >> >order to work to get the queueing working properly.
>> >> >
>> >> >Axton Grams
>> >> >
>> >> >
>> >> >On 1/23/06, Michael W Cocke <cocke at ...13611...> wrote:
>> >> >>
>> >> >> <sigh>  What I forgot to write was that I'm currently running
>> >> >> snort_inline _AND_ snort, exactly like this -
>> >> >>
>> >> >> snort_inline -c /etc/snort/snort.conf -Q
>> >> >> snort -c /etc/snort/snort.conf
>> >> >>
>> >> >> If I drop the -Q from the snort command line (or the snort_inline
>> >> >> command line), database writes work fine.  What I have no confidence
>> >> >> in and no way to test is if anything is actually being done with the
>> >> >> packets in the queue.
>> >> >>
>> >> >> Database connectivity is working fine - as long as I don't try to use
>> >> >> the QUEUE facility in either snort or snort_inline.
>> >> >>
>> >> >> Mike-
>> >> >>
>> >> >>
>> >> >> On Mon, 23 Jan 2006 17:14:14 -0500, you wrote:
>> >> >>
>> >> >> >First, verify connectivity to the db host using the mysql client on
>> >> >> >the sensor?  should be something along the lines of:
>> >> >> >
>> >> >> ># mysql -p
>> >> >> >Enter password: xxx
>> >> >> >Welcome to the MySQL monitor.  Commands end with ; or \g.
>> >> >> >Your MySQL connection id is 28 to server version: x.x.x
>> >> >> >
>> >> >> >
>> >> >> >Did you configure the db for logging use in snort.conf?  The line
>> >> >> >should look something like:
>> >> >> >
>> >> >> >output database: log, mysql, user=<user> password=<passsword>
>> >> >> >dbname=<db name> host=<host>
>> >> >> >
>> >> >> >If so, did you create the tables in the db for snort to use to log the
>> >> >> >alerts using ./snort-2.4.3/schemas/create_mysql?
>> >> >> >
>> >> >> >If so, did you give the proper grants to the tables for
>> >> >> >insert/update/delete, where appropriate, to the user defined in the
>> >> >> >snort.conf file?
>> >> >> >
>> >> >> >Axton Grams
>> >> >> >
>> >> >> >
>> >> >> >On 1/23/06, Michael W Cocke <cocke at ...13611...> wrote:
>> >> >> >> I was absolutely certain that it was something that I did wrong, so I
>> >> >> >> went back to the beginning, reinstalled all the requires, compiled
>> >> >> >> snort from scratch, turned on every log file I could find, and built a
>> >> >> >> rule to log every occurence of GET on port 80.
>> >> >> >>
>> >> >> >> I've tried both snort and snort-inline compiled with --enable-inline
>> >> >> >> and --with-mysql.  Running with this command line snort -Q -c
>> >> >> >> /etc/snort/snort.conf -v (replace snort with snort_inline as you
>> >> >> >> wish).  I get lots of screen activity from the -v, but snort doesn't
>> >> >> >> write anything to a mysql database. Neither does snort_inline
>> >> >> >> 2.4.3-RC3, compiled with the same options.
>> >> >> >>
>> >> >> >> If anyone has a suggestion or would like me to try something, email
>> >> >> >> me.
>> >> >> >>
>> >> >> >>
>> >> >> >> Mike-
>> >> >> >> --
>> >> >> >> If you're not confused, you're not trying hard enough.
>> >> >> >> --
>> >> >> >> Please note - Due to the intense volume of spam, we have installed
>> >> >> >> site-wide spam filters at catherders.com.  If email from you bounces,
>> >> >> >> try non-HTML, non-encoded, non-attachments,
>> >> >> >>
>> >> >> >>
>> >> >> >> -------------------------------------------------------
>> >> >> >> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
>> >> >> >> for problems?  Stop!  Download the new AJAX search engine that makes
>> >> >> >> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>> >> >> >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
>> >> >> >> _______________________________________________
>> >> >> >> Snort-users mailing list
>> >> >> >> Snort-users at lists.sourceforge.net
>> >> >> >> Go to this URL to change user options or unsubscribe:
>> >> >> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> >> >> Snort-users list archive:
>> >> >> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >> >>
>> >> >> --
>> >> >> If you're not confused, you're not trying hard enough.
>> >> >> --
>> >> >> Please note - Due to the intense volume of spam, we have installed
>> >> >> site-wide spam filters at catherders.com.  If email from you bounces,
>> >> >> try non-HTML, non-encoded, non-attachments,
>> >> >>
>> >> >>
>> >> >> -------------------------------------------------------
>> >> >> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
>> >> >> for problems?  Stop!  Download the new AJAX search engine that makes
>> >> >> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>> >> >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
>> >> >> _______________________________________________
>> >> >> Snort-users mailing list
>> >> >> Snort-users at lists.sourceforge.net
>> >> >> Go to this URL to change user options or unsubscribe:
>> >> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> >> Snort-users list archive:
>> >> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >>
>> >> --
>> >> If you're not confused, you're not trying hard enough.
>> >> --
>> >> Please note - Due to the intense volume of spam, we have installed
>> >> site-wide spam filters at catherders.com.  If email from you bounces,
>> >> try non-HTML, non-encoded, non-attachments,
>> >>
>> >>
>> >> -------------------------------------------------------
>> >> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
>> >> for problems?  Stop!  Download the new AJAX search engine that makes
>> >> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>> >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >>
>> --
>> If you're not confused, you're not trying hard enough.
>> --
>> Please note - Due to the intense volume of spam, we have installed
>> site-wide spam filters at catherders.com.  If email from you bounces,
>> try non-HTML, non-encoded, non-attachments,
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
--
If you're not confused, you're not trying hard enough.
--
Please note - Due to the intense volume of spam, we have installed 
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,




More information about the Snort-users mailing list