[Snort-users] Snort not logging to Mysql Database on CentOS 5.1( x86_64) !!!

Zakai Kinan titanyen2000 at ...131...
Fri Aug 8 14:10:06 EDT 2008


Are you running two different versions?


ZK



--- On Thu, 8/7/08, Shiva Raman <raman.shivag at ...11827...> wrote:

> From: Shiva Raman <raman.shivag at ...11827...>
> Subject: [Snort-users] Snort not logging to Mysql Database on CentOS 5.1( x86_64) !!!
> To: snort-users at lists.sourceforge.net
> Date: Thursday, August 7, 2008, 11:49 PM
> Dear All
> 
>  i had installed Centos 5.1(x86_64)  on Intel Xeon 64 bit
> server.
> Following are the set of RPMs installed in the server
> downloaded from
> Snort web site.
> 
> snort-2.8.2.2-1.RH5.i386.rpm
> snort-mysql-2.8.2.2-1.RH5.i386.rpm
> 
> The installation was completed succesfully. The mysql
> database of
> snort has been created
> and the sql script was run.Then the service were  started
> and this was
> showing status running fine.
> Following is my
>  #snort -c /etc/snort/snort.conf
> also did not show any errors.
> the mysql database was enabled in snort.conf.
> 
> The problem is that mysql is not logging any snort alerts
> to the
> database. Is it a problem with
> 64 bit architecture as the 32 bit rpms work fine and logs
> into database.
> 
> Following is the configuration of  my /etc/snort/snort.conf
> 
> var HOME_NET 192.168.0.0/24
> var HONEYNET any
> var EXTERNAL_NET !$HOME_NET
> var SMTP_SERVERS any
> var TELNET_SERVERS any
> var HTTP_SERVERS any
> var SQL_SERVERS any
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> config checksum_mode: none
> var rule_path /etc/snort/rules
> preprocessor flow: stats_interval 0 hash 2
> preprocessor stream4: disable_evasion_alerts
> preprocessor stream4_reassemble: both
> preprocessor stream4_reassemble: both,ports 21 23 25 53 80
> 110 111 139
> 143 445 513 1433
> preprocessor http_inspect: global \
>     iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: server default \
>     profile all ports { 80 8080 8180 } oversize_dir_length
> 500 no_alerts
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> output alert_fast: alert
> include classification.config
> include reference.config
> output database: log, mysql, user=root dbname=snort
> host=localhost
> output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128
> include $rule_path/attack-responses.rules
> include $rule_path/backdoor.rules
> include $rule_path/ddos.rules
> include $rule_path/dns.rules
> include $rule_path/pop3.rules
> include $rule_path/smtp.rules
> include $rule_path/icmp-info.rules
> include $rule_path/multimedia.rules
> include $rule_path/nntp.rules
> include $rule_path/oracle.rules
> include $rule_path/policy.rules
> include $rule_path/porn.rules
> include $rule_path/scan.rules
> include $rule_path/telnet.rules
> include $rule_path/tftp.rules
> include $rule_path/web-cgi.rules
> include $rule_path/web-coldfusion.rules
> include $rule_path/x11.rules
> 
> and following is the output of
> # snort -c /etc/snort/snort.conf
> 
> [root at ...14405... server ~]# snort -c /etc/snort/snort.conf
> Running in IDS mode
> 
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file /etc/snort/snort.conf
> PortVar 'HTTP_PORTS' defined :  [ 80]
> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79
> 81:65535]
> PortVar 'ORACLE_PORTS' defined :  [ 1521]
> ,-----------[Flow Config]----------------------
> | Stats Interval:  0
> | Hash Method:     2
> | Memcap:          10485760
> | Rows  :          4096
> | Overhead Bytes:  16388(%0.16)
> `----------------------------------------------
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     Session count max: 8192 sessions
>     Session cleanup count: 5
>     State alerts: INACTIVE
>     Evasion alerts: INACTIVE
>     Scan alerts: INACTIVE
>     Log Flushed Streams: INACTIVE
>     MinTTL: 1
>     TTL Limit: 5
>     Async Link: 0
>     State Protection: 0
>     Self preservation threshold: 50
>     Self preservation period: 90
>     Suspend threshold: 200
>     Suspend period: 30
>     Enforce TCP State: INACTIVE
>     Midstream Drop Alerts: INACTIVE
>     Allow Blocking of TCP Sessions in Inline: ACTIVE
> Stream4_reassemble config:
>     Server reassembly: ACTIVE
>     Client reassembly: ACTIVE
>     Reassembler alerts: ACTIVE
>     Zero out flushed packets: INACTIVE
>     Flush stream on alert: INACTIVE
>     flush_data_diff_size: 500
>     Reassembler Packet Preferance : Favor Old
>     Packet Sequence Overlap Limit: -1
>     Flush behavior: Small (<255 bytes)
>     Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143
> 445 513 1433 1521 3306
>     Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137
> 139 143 445
> 513 1433 1521 3306
> Stream4_reassemble config:
>     Server reassembly: ACTIVE
>     Client reassembly: ACTIVE
>     Reassembler alerts: ACTIVE
>     Zero out flushed packets: INACTIVE
>     Flush stream on alert: INACTIVE
>     flush_data_diff_size: 500
>     Reassembler Packet Preferance : Favor Old
>     Packet Sequence Overlap Limit: -1
>     Flush behavior: Small (<255 bytes)
>     Ports: 21 23 25 53 80 110 111 139 143 445 513 1433
>     Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137
> 139 143 445
> 513 1433 1521 3306
> HttpInspect Config:
>     GLOBAL CONFIG
>       Max Pipeline Requests:    0
>       Inspection Type:          STATELESS
>       Detect Proxy Usage:       NO
>       IIS Unicode Map Filename: /etc/snort/unicode.map
>       IIS Unicode Map Codepage: 1252
>     DEFAULT SERVER CONFIG:
>       Server profile: All
>       Ports: 80 8080 8180
>       Flow Depth: 300
>       Max Chunk Length: 500000
>       Inspect Pipeline Requests: YES
>       URI Discovery Strict Mode: NO
>       Allow Proxy Usage: NO
>       Disable Alerting: YES
>       Oversize Dir Length: 500
>       Only inspect URI: NO
>       Ascii: YES alert: NO
>       Double Decoding: YES alert: YES
>       %U Encoding: YES alert: YES
>       Bare Byte: YES alert: YES
>       Base36: OFF
>       UTF 8: OFF
>       IIS Unicode: YES alert: YES
>       Multiple Slash: YES alert: NO
>       IIS Backslash: YES alert: NO
>       Directory Traversal: YES alert: NO
>       Web Root Traversal: YES alert: YES
>       Apache WhiteSpace: YES alert: NO
>       IIS Delimiter: YES alert: NO
>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>       Non-RFC Compliant Characters: NONE
>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> rpc_decode arguments:
>     Ports to decode RPC on: 111 32771
>     alert_fragments: INACTIVE
>     alert_large_fragments: ACTIVE
>     alert_incomplete: ACTIVE
>     alert_multiple_requests: ACTIVE
> Tagged Packet Limit: 256
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> 1168 Snort rules read
>     1168 detection rules
>     0 decoder rules
>     0 preprocessor rules
> 1168 Option Chains linked into 138 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> +-------------------[Rule Port
> Counts]---------------------------------------
> |             tcp     udp    icmp      ip
> |     src      88       9       0       0
> |     dst     902      42       0       0
> |     any      25       5     113       4
> |      nc      13       1      83       2
> |     s+d      10       3       0       0
> +----------------------------------------------------------------------------
> 
> +-----------------------[thresholding-config]----------------------------------
> | memory-cap : 1048576 bytes
> +-----------------------[thresholding-global]----------------------------------
> | none
> +-----------------------[thresholding-local]-----------------------------------
> | gen-id=1      sig-id=2275       type=Threshold
> tracking=dst count=5
>  seconds=60
> +-----------------------[suppression]------------------------------------------
> | none
> -------------------------------------------------------------------------------
> Rule application order:
> activation->dynamic->pass->drop->sdrop->reject->alert->log
> Log directory = /var/log/snort
> Verifying Preprocessor Configurations!
> Warning: flowbits key 'realplayer.playlist' is set
> but not ever checked.
> 14 out of 512 flowbits in use.
> ***
> *** interface device lookup found: eth0
> ***
> 
> Initializing Network Interface eth0
> Decoding Ethernet on interface eth0
> database: compiled support for ( mysql )
> database: configured to use mysql
> database:          user = root
> database: database name = snort
> database:          host = localhost
> database:   sensor name = 192.168.10.18
> database:     sensor id = 3
> database: schema version = 107
> database: using the "log" facility
> 
> [ Port Based Pattern Matching Memory ]
> +-[AC-BNFA Search Info
> Summary]------------------------------
> | Instances        : 117
> | Patterns         : 2515
> | Pattern Chars    : 40315
> | Num States       : 29117
> | Num Match States : 2398
> | Memory           :   686.30Kbytes
> |   Patterns       :   88.38K
> |   Match Lists    :   135.42K
> |   Transitions    :   452.45K
> +-------------------------------------------------
> 
>         --== Initialization Complete ==--
> 
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.8.0.1 (Build 72) inline
>    ''''    By Martin Roesch & The Snort
> Team: http://www.snort.org/team.html
>            (C) Copyright 1998-2007 Sourcefire Inc., et al.
>            Using PCRE version: 6.6 06-Feb-2006
> 
> Not Using PCAP_FRAMES
> 
> 
> Please guide me how to resolve this problem.
> 
> Thanks and Regards
> 
> Shiva Raman
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move
> Developer's challenge
> Build the coolest Linux based applications with Moblin SDK
> & win great prizes
> Grand prize is a trip for two to an Open Source event
> anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


      




More information about the Snort-users mailing list