[Snort-users] Snort not logging to Mysql Database on CentOS 5.1( x86_64) !!!

Shiva Raman raman.shivag at ...11827...
Tue Aug 12 02:26:18 EDT 2008


Thanks for the reply.

Yes , i was running two different versions of Snort. I uninstalled
both the versions, did a fresh install of snort-2.8.2.2-1.RH5.i386.rpm
and  snort-mysql-2.8.2.2-1.RH5.i386.rpm

Even now the database is not logging the snort logs. But i observe
that the database logs
the details of the sensor.
Here is the output of the command
[root at ...14405... ~]#  echo "select * from data" | mysql snort
( No entires /No output)
[root at ...14405...  ~]# echo "select * from sensor" | mysql snort
sid     hostname        interface       filter  detail  encoding        last_cid
2       192.168.10.18   eth0    NULL    1       0       0


so i think connectivity between snort and mysql is ok, but snort logs
are not getting updated in mysql database. kindly advise anything else
to be take care here.

Regards

Shiva Raman

On 8/8/08, Zakai Kinan <titanyen2000 at ...131...> wrote:
> Are you running two different versions?
>
>
> ZK
>
>
>
> --- On Thu, 8/7/08, Shiva Raman <raman.shivag at ...11827...> wrote:
>
>> From: Shiva Raman <raman.shivag at ...11827...>
>> Subject: [Snort-users] Snort not logging to Mysql Database on CentOS 5.1(
>> x86_64) !!!
>> To: snort-users at lists.sourceforge.net
>> Date: Thursday, August 7, 2008, 11:49 PM
>> Dear All
>>
>>  i had installed Centos 5.1(x86_64)  on Intel Xeon 64 bit
>> server.
>> Following are the set of RPMs installed in the server
>> downloaded from
>> Snort web site.
>>
>> snort-2.8.2.2-1.RH5.i386.rpm
>> snort-mysql-2.8.2.2-1.RH5.i386.rpm
>>
>> The installation was completed succesfully. The mysql
>> database of
>> snort has been created
>> and the sql script was run.Then the service were  started
>> and this was
>> showing status running fine.
>> Following is my
>>  #snort -c /etc/snort/snort.conf
>> also did not show any errors.
>> the mysql database was enabled in snort.conf.
>>
>> The problem is that mysql is not logging any snort alerts
>> to the
>> database. Is it a problem with
>> 64 bit architecture as the 32 bit rpms work fine and logs
>> into database.
>>
>> Following is the configuration of  my /etc/snort/snort.conf
>>
>> var HOME_NET 192.168.0.0/24
>> var HONEYNET any
>> var EXTERNAL_NET !$HOME_NET
>> var SMTP_SERVERS any
>> var TELNET_SERVERS any
>> var HTTP_SERVERS any
>> var SQL_SERVERS any
>> var HTTP_PORTS 80
>> var SHELLCODE_PORTS !80
>> var ORACLE_PORTS 1521
>> config checksum_mode: none
>> var rule_path /etc/snort/rules
>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor stream4: disable_evasion_alerts
>> preprocessor stream4_reassemble: both
>> preprocessor stream4_reassemble: both,ports 21 23 25 53 80
>> 110 111 139
>> 143 445 513 1433
>> preprocessor http_inspect: global \
>>     iis_unicode_map unicode.map 1252
>> preprocessor http_inspect_server: server default \
>>     profile all ports { 80 8080 8180 } oversize_dir_length
>> 500 no_alerts
>> preprocessor rpc_decode: 111 32771
>> preprocessor bo
>> output alert_fast: alert
>> include classification.config
>> include reference.config
>> output database: log, mysql, user=root dbname=snort
>> host=localhost
>> output alert_unified: filename snort.alert, limit 128
>> output log_unified: filename snort.log, limit 128
>> include $rule_path/attack-responses.rules
>> include $rule_path/backdoor.rules
>> include $rule_path/ddos.rules
>> include $rule_path/dns.rules
>> include $rule_path/pop3.rules
>> include $rule_path/smtp.rules
>> include $rule_path/icmp-info.rules
>> include $rule_path/multimedia.rules
>> include $rule_path/nntp.rules
>> include $rule_path/oracle.rules
>> include $rule_path/policy.rules
>> include $rule_path/porn.rules
>> include $rule_path/scan.rules
>> include $rule_path/telnet.rules
>> include $rule_path/tftp.rules
>> include $rule_path/web-cgi.rules
>> include $rule_path/web-coldfusion.rules
>> include $rule_path/x11.rules
>>
>> and following is the output of
>> # snort -c /etc/snort/snort.conf
>>
>> [root at ...14405... server ~]# snort -c /etc/snort/snort.conf
>> Running in IDS mode
>>
>>         --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Initializing Preprocessors!
>> Initializing Plug-ins!
>> Parsing Rules file /etc/snort/snort.conf
>> PortVar 'HTTP_PORTS' defined :  [ 80]
>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79
>> 81:65535]
>> PortVar 'ORACLE_PORTS' defined :  [ 1521]
>> ,-----------[Flow Config]----------------------
>> | Stats Interval:  0
>> | Hash Method:     2
>> | Memcap:          10485760
>> | Rows  :          4096
>> | Overhead Bytes:  16388(%0.16)
>> `----------------------------------------------
>> Stream4 config:
>>     Stateful inspection: ACTIVE
>>     Session statistics: INACTIVE
>>     Session timeout: 30 seconds
>>     Session memory cap: 8388608 bytes
>>     Session count max: 8192 sessions
>>     Session cleanup count: 5
>>     State alerts: INACTIVE
>>     Evasion alerts: INACTIVE
>>     Scan alerts: INACTIVE
>>     Log Flushed Streams: INACTIVE
>>     MinTTL: 1
>>     TTL Limit: 5
>>     Async Link: 0
>>     State Protection: 0
>>     Self preservation threshold: 50
>>     Self preservation period: 90
>>     Suspend threshold: 200
>>     Suspend period: 30
>>     Enforce TCP State: INACTIVE
>>     Midstream Drop Alerts: INACTIVE
>>     Allow Blocking of TCP Sessions in Inline: ACTIVE
>> Stream4_reassemble config:
>>     Server reassembly: ACTIVE
>>     Client reassembly: ACTIVE
>>     Reassembler alerts: ACTIVE
>>     Zero out flushed packets: INACTIVE
>>     Flush stream on alert: INACTIVE
>>     flush_data_diff_size: 500
>>     Reassembler Packet Preferance : Favor Old
>>     Packet Sequence Overlap Limit: -1
>>     Flush behavior: Small (<255 bytes)
>>     Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143
>> 445 513 1433 1521 3306
>>     Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137
>> 139 143 445
>> 513 1433 1521 3306
>> Stream4_reassemble config:
>>     Server reassembly: ACTIVE
>>     Client reassembly: ACTIVE
>>     Reassembler alerts: ACTIVE
>>     Zero out flushed packets: INACTIVE
>>     Flush stream on alert: INACTIVE
>>     flush_data_diff_size: 500
>>     Reassembler Packet Preferance : Favor Old
>>     Packet Sequence Overlap Limit: -1
>>     Flush behavior: Small (<255 bytes)
>>     Ports: 21 23 25 53 80 110 111 139 143 445 513 1433
>>     Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137
>> 139 143 445
>> 513 1433 1521 3306
>> HttpInspect Config:
>>     GLOBAL CONFIG
>>       Max Pipeline Requests:    0
>>       Inspection Type:          STATELESS
>>       Detect Proxy Usage:       NO
>>       IIS Unicode Map Filename: /etc/snort/unicode.map
>>       IIS Unicode Map Codepage: 1252
>>     DEFAULT SERVER CONFIG:
>>       Server profile: All
>>       Ports: 80 8080 8180
>>       Flow Depth: 300
>>       Max Chunk Length: 500000
>>       Inspect Pipeline Requests: YES
>>       URI Discovery Strict Mode: NO
>>       Allow Proxy Usage: NO
>>       Disable Alerting: YES
>>       Oversize Dir Length: 500
>>       Only inspect URI: NO
>>       Ascii: YES alert: NO
>>       Double Decoding: YES alert: YES
>>       %U Encoding: YES alert: YES
>>       Bare Byte: YES alert: YES
>>       Base36: OFF
>>       UTF 8: OFF
>>       IIS Unicode: YES alert: YES
>>       Multiple Slash: YES alert: NO
>>       IIS Backslash: YES alert: NO
>>       Directory Traversal: YES alert: NO
>>       Web Root Traversal: YES alert: YES
>>       Apache WhiteSpace: YES alert: NO
>>       IIS Delimiter: YES alert: NO
>>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>       Non-RFC Compliant Characters: NONE
>>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>> rpc_decode arguments:
>>     Ports to decode RPC on: 111 32771
>>     alert_fragments: INACTIVE
>>     alert_large_fragments: ACTIVE
>>     alert_incomplete: ACTIVE
>>     alert_multiple_requests: ACTIVE
>> Tagged Packet Limit: 256
>>
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>> Initializing rule chains...
>> 1168 Snort rules read
>>     1168 detection rules
>>     0 decoder rules
>>     0 preprocessor rules
>> 1168 Option Chains linked into 138 Chain Headers
>> 0 Dynamic rules
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>>
>> +-------------------[Rule Port
>> Counts]---------------------------------------
>> |             tcp     udp    icmp      ip
>> |     src      88       9       0       0
>> |     dst     902      42       0       0
>> |     any      25       5     113       4
>> |      nc      13       1      83       2
>> |     s+d      10       3       0       0
>> +----------------------------------------------------------------------------
>>
>> +-----------------------[thresholding-config]----------------------------------
>> | memory-cap : 1048576 bytes
>> +-----------------------[thresholding-global]----------------------------------
>> | none
>> +-----------------------[thresholding-local]-----------------------------------
>> | gen-id=1      sig-id=2275       type=Threshold
>> tracking=dst count=5
>>  seconds=60
>> +-----------------------[suppression]------------------------------------------
>> | none
>> -------------------------------------------------------------------------------
>> Rule application order:
>> activation->dynamic->pass->drop->sdrop->reject->alert->log
>> Log directory = /var/log/snort
>> Verifying Preprocessor Configurations!
>> Warning: flowbits key 'realplayer.playlist' is set
>> but not ever checked.
>> 14 out of 512 flowbits in use.
>> ***
>> *** interface device lookup found: eth0
>> ***
>>
>> Initializing Network Interface eth0
>> Decoding Ethernet on interface eth0
>> database: compiled support for ( mysql )
>> database: configured to use mysql
>> database:          user = root
>> database: database name = snort
>> database:          host = localhost
>> database:   sensor name = 192.168.10.18
>> database:     sensor id = 3
>> database: schema version = 107
>> database: using the "log" facility
>>
>> [ Port Based Pattern Matching Memory ]
>> +-[AC-BNFA Search Info
>> Summary]------------------------------
>> | Instances        : 117
>> | Patterns         : 2515
>> | Pattern Chars    : 40315
>> | Num States       : 29117
>> | Num Match States : 2398
>> | Memory           :   686.30Kbytes
>> |   Patterns       :   88.38K
>> |   Match Lists    :   135.42K
>> |   Transitions    :   452.45K
>> +-------------------------------------------------
>>
>>         --== Initialization Complete ==--
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.8.0.1 (Build 72) inline
>>    ''''    By Martin Roesch & The Snort
>> Team: http://www.snort.org/team.html
>>            (C) Copyright 1998-2007 Sourcefire Inc., et al.
>>            Using PCRE version: 6.6 06-Feb-2006
>>
>> Not Using PCAP_FRAMES
>>
>>
>> Please guide me how to resolve this problem.
>>
>> Thanks and Regards
>>
>> Shiva Raman
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move
>> Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK
>> & win great prizes
>> Grand prize is a trip for two to an Open Source event
>> anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list