[Snort-users] Snort not logging to Mysql Database on CentOS 5.1( x86_64) !!!

Zakai Kinan titanyen2000 at ...131...
Tue Aug 12 23:57:26 EDT 2008


Your output to database should look more like the below example:

output database: alert, mysql, dbname=snort port=3306 user=snort password=kenny sensor_name=Nken host=X.X.X.X

The example can be either alert or log.  Do try alert instead of log.


ZK




--- On Mon, 8/11/08, Shiva Raman <raman.shivag at ...11827...> wrote:

> From: Shiva Raman <raman.shivag at ...11827...>
> Subject: Re: [Snort-users] Snort not logging to Mysql Database on CentOS 5.1( x86_64) !!!
> To: titanyen2000 at ...131...
> Cc: snort-users at lists.sourceforge.net
> Date: Monday, August 11, 2008, 11:26 PM
> Thanks for the reply.
> 
> Yes , i was running two different versions of Snort. I
> uninstalled
> both the versions, did a fresh install of
> snort-2.8.2.2-1.RH5.i386.rpm
> and  snort-mysql-2.8.2.2-1.RH5.i386.rpm
> 
> Even now the database is not logging the snort logs. But i
> observe
> that the database logs
> the details of the sensor.
> Here is the output of the command
> [root at ...14405... ~]#  echo "select * from data" | mysql
> snort
> ( No entires /No output)
> [root at ...14405...  ~]# echo "select * from sensor" |
> mysql snort
> sid     hostname        interface       filter  detail 
> encoding        last_cid
> 2       192.168.10.18   eth0    NULL    1       0       0
> 
> 
> so i think connectivity between snort and mysql is ok, but
> snort logs
> are not getting updated in mysql database. kindly advise
> anything else
> to be take care here.
> 
> Regards
> 
> Shiva Raman
> 
> On 8/8/08, Zakai Kinan <titanyen2000 at ...131...>
> wrote:
> > Are you running two different versions?
> >
> >
> > ZK
> >
> >
> >
> > --- On Thu, 8/7/08, Shiva Raman
> <raman.shivag at ...11827...> wrote:
> >
> >> From: Shiva Raman <raman.shivag at ...11827...>
> >> Subject: [Snort-users] Snort not logging to Mysql
> Database on CentOS 5.1(
> >> x86_64) !!!
> >> To: snort-users at lists.sourceforge.net
> >> Date: Thursday, August 7, 2008, 11:49 PM
> >> Dear All
> >>
> >>  i had installed Centos 5.1(x86_64)  on Intel Xeon
> 64 bit
> >> server.
> >> Following are the set of RPMs installed in the
> server
> >> downloaded from
> >> Snort web site.
> >>
> >> snort-2.8.2.2-1.RH5.i386.rpm
> >> snort-mysql-2.8.2.2-1.RH5.i386.rpm
> >>
> >> The installation was completed succesfully. The
> mysql
> >> database of
> >> snort has been created
> >> and the sql script was run.Then the service were 
> started
> >> and this was
> >> showing status running fine.
> >> Following is my
> >>  #snort -c /etc/snort/snort.conf
> >> also did not show any errors.
> >> the mysql database was enabled in snort.conf.
> >>
> >> The problem is that mysql is not logging any snort
> alerts
> >> to the
> >> database. Is it a problem with
> >> 64 bit architecture as the 32 bit rpms work fine
> and logs
> >> into database.
> >>
> >> Following is the configuration of  my
> /etc/snort/snort.conf
> >>
> >> var HOME_NET 192.168.0.0/24
> >> var HONEYNET any
> >> var EXTERNAL_NET !$HOME_NET
> >> var SMTP_SERVERS any
> >> var TELNET_SERVERS any
> >> var HTTP_SERVERS any
> >> var SQL_SERVERS any
> >> var HTTP_PORTS 80
> >> var SHELLCODE_PORTS !80
> >> var ORACLE_PORTS 1521
> >> config checksum_mode: none
> >> var rule_path /etc/snort/rules
> >> preprocessor flow: stats_interval 0 hash 2
> >> preprocessor stream4: disable_evasion_alerts
> >> preprocessor stream4_reassemble: both
> >> preprocessor stream4_reassemble: both,ports 21 23
> 25 53 80
> >> 110 111 139
> >> 143 445 513 1433
> >> preprocessor http_inspect: global \
> >>     iis_unicode_map unicode.map 1252
> >> preprocessor http_inspect_server: server default
> \
> >>     profile all ports { 80 8080 8180 }
> oversize_dir_length
> >> 500 no_alerts
> >> preprocessor rpc_decode: 111 32771
> >> preprocessor bo
> >> output alert_fast: alert
> >> include classification.config
> >> include reference.config
> >> output database: log, mysql, user=root
> dbname=snort
> >> host=localhost
> >> output alert_unified: filename snort.alert, limit
> 128
> >> output log_unified: filename snort.log, limit 128
> >> include $rule_path/attack-responses.rules
> >> include $rule_path/backdoor.rules
> >> include $rule_path/ddos.rules
> >> include $rule_path/dns.rules
> >> include $rule_path/pop3.rules
> >> include $rule_path/smtp.rules
> >> include $rule_path/icmp-info.rules
> >> include $rule_path/multimedia.rules
> >> include $rule_path/nntp.rules
> >> include $rule_path/oracle.rules
> >> include $rule_path/policy.rules
> >> include $rule_path/porn.rules
> >> include $rule_path/scan.rules
> >> include $rule_path/telnet.rules
> >> include $rule_path/tftp.rules
> >> include $rule_path/web-cgi.rules
> >> include $rule_path/web-coldfusion.rules
> >> include $rule_path/x11.rules
> >>
> >> and following is the output of
> >> # snort -c /etc/snort/snort.conf
> >>
> >> [root at ...14405... server ~]# snort -c
> /etc/snort/snort.conf
> >> Running in IDS mode
> >>
> >>         --== Initializing Snort ==--
> >> Initializing Output Plugins!
> >> Initializing Preprocessors!
> >> Initializing Plug-ins!
> >> Parsing Rules file /etc/snort/snort.conf
> >> PortVar 'HTTP_PORTS' defined :  [ 80]
> >> PortVar 'SHELLCODE_PORTS' defined :  [
> 0:79
> >> 81:65535]
> >> PortVar 'ORACLE_PORTS' defined :  [ 1521]
> >> ,-----------[Flow Config]----------------------
> >> | Stats Interval:  0
> >> | Hash Method:     2
> >> | Memcap:          10485760
> >> | Rows  :          4096
> >> | Overhead Bytes:  16388(%0.16)
> >> `----------------------------------------------
> >> Stream4 config:
> >>     Stateful inspection: ACTIVE
> >>     Session statistics: INACTIVE
> >>     Session timeout: 30 seconds
> >>     Session memory cap: 8388608 bytes
> >>     Session count max: 8192 sessions
> >>     Session cleanup count: 5
> >>     State alerts: INACTIVE
> >>     Evasion alerts: INACTIVE
> >>     Scan alerts: INACTIVE
> >>     Log Flushed Streams: INACTIVE
> >>     MinTTL: 1
> >>     TTL Limit: 5
> >>     Async Link: 0
> >>     State Protection: 0
> >>     Self preservation threshold: 50
> >>     Self preservation period: 90
> >>     Suspend threshold: 200
> >>     Suspend period: 30
> >>     Enforce TCP State: INACTIVE
> >>     Midstream Drop Alerts: INACTIVE
> >>     Allow Blocking of TCP Sessions in Inline:
> ACTIVE
> >> Stream4_reassemble config:
> >>     Server reassembly: ACTIVE
> >>     Client reassembly: ACTIVE
> >>     Reassembler alerts: ACTIVE
> >>     Zero out flushed packets: INACTIVE
> >>     Flush stream on alert: INACTIVE
> >>     flush_data_diff_size: 500
> >>     Reassembler Packet Preferance : Favor Old
> >>     Packet Sequence Overlap Limit: -1
> >>     Flush behavior: Small (<255 bytes)
> >>     Ports: 21 23 25 42 53 80 110 111 135 136 137
> 139 143
> >> 445 513 1433 1521 3306
> >>     Emergency Ports: 21 23 25 42 53 80 110 111 135
> 136 137
> >> 139 143 445
> >> 513 1433 1521 3306
> >> Stream4_reassemble config:
> >>     Server reassembly: ACTIVE
> >>     Client reassembly: ACTIVE
> >>     Reassembler alerts: ACTIVE
> >>     Zero out flushed packets: INACTIVE
> >>     Flush stream on alert: INACTIVE
> >>     flush_data_diff_size: 500
> >>     Reassembler Packet Preferance : Favor Old
> >>     Packet Sequence Overlap Limit: -1
> >>     Flush behavior: Small (<255 bytes)
> >>     Ports: 21 23 25 53 80 110 111 139 143 445 513
> 1433
> >>     Emergency Ports: 21 23 25 42 53 80 110 111 135
> 136 137
> >> 139 143 445
> >> 513 1433 1521 3306
> >> HttpInspect Config:
> >>     GLOBAL CONFIG
> >>       Max Pipeline Requests:    0
> >>       Inspection Type:          STATELESS
> >>       Detect Proxy Usage:       NO
> >>       IIS Unicode Map Filename:
> /etc/snort/unicode.map
> >>       IIS Unicode Map Codepage: 1252
> >>     DEFAULT SERVER CONFIG:
> >>       Server profile: All
> >>       Ports: 80 8080 8180
> >>       Flow Depth: 300
> >>       Max Chunk Length: 500000
> >>       Inspect Pipeline Requests: YES
> >>       URI Discovery Strict Mode: NO
> >>       Allow Proxy Usage: NO
> >>       Disable Alerting: YES
> >>       Oversize Dir Length: 500
> >>       Only inspect URI: NO
> >>       Ascii: YES alert: NO
> >>       Double Decoding: YES alert: YES
> >>       %U Encoding: YES alert: YES
> >>       Bare Byte: YES alert: YES
> >>       Base36: OFF
> >>       UTF 8: OFF
> >>       IIS Unicode: YES alert: YES
> >>       Multiple Slash: YES alert: NO
> >>       IIS Backslash: YES alert: NO
> >>       Directory Traversal: YES alert: NO
> >>       Web Root Traversal: YES alert: YES
> >>       Apache WhiteSpace: YES alert: NO
> >>       IIS Delimiter: YES alert: NO
> >>       IIS Unicode Map: GLOBAL IIS UNICODE MAP
> CONFIG
> >>       Non-RFC Compliant Characters: NONE
> >>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
> >> rpc_decode arguments:
> >>     Ports to decode RPC on: 111 32771
> >>     alert_fragments: INACTIVE
> >>     alert_large_fragments: ACTIVE
> >>     alert_incomplete: ACTIVE
> >>     alert_multiple_requests: ACTIVE
> >> Tagged Packet Limit: 256
> >>
> >>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> >> Initializing rule chains...
> >> 1168 Snort rules read
> >>     1168 detection rules
> >>     0 decoder rules
> >>     0 preprocessor rules
> >> 1168 Option Chains linked into 138 Chain Headers
> >> 0 Dynamic rules
> >>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> >>
> >> +-------------------[Rule Port
> >> Counts]---------------------------------------
> >> |             tcp     udp    icmp      ip
> >> |     src      88       9       0       0
> >> |     dst     902      42       0       0
> >> |     any      25       5     113       4
> >> |      nc      13       1      83       2
> >> |     s+d      10       3       0       0
> >>
> +----------------------------------------------------------------------------
> >>
> >>
> +-----------------------[thresholding-config]----------------------------------
> >> | memory-cap : 1048576 bytes
> >>
> +-----------------------[thresholding-global]----------------------------------
> >> | none
> >>
> +-----------------------[thresholding-local]-----------------------------------
> >> | gen-id=1      sig-id=2275       type=Threshold
> >> tracking=dst count=5
> >>  seconds=60
> >>
> +-----------------------[suppression]------------------------------------------
> >> | none
> >>
> -------------------------------------------------------------------------------
> >> Rule application order:
> >>
> activation->dynamic->pass->drop->sdrop->reject->alert->log
> >> Log directory = /var/log/snort
> >> Verifying Preprocessor Configurations!
> >> Warning: flowbits key
> 'realplayer.playlist' is set
> >> but not ever checked.
> >> 14 out of 512 flowbits in use.
> >> ***
> >> *** interface device lookup found: eth0
> >> ***
> >>
> >> Initializing Network Interface eth0
> >> Decoding Ethernet on interface eth0
> >> database: compiled support for ( mysql )
> >> database: configured to use mysql
> >> database:          user = root
> >> database: database name = snort
> >> database:          host = localhost
> >> database:   sensor name = 192.168.10.18
> >> database:     sensor id = 3
> >> database: schema version = 107
> >> database: using the "log" facility
> >>
> >> [ Port Based Pattern Matching Memory ]
> >> +-[AC-BNFA Search Info
> >> Summary]------------------------------
> >> | Instances        : 117
> >> | Patterns         : 2515
> >> | Pattern Chars    : 40315
> >> | Num States       : 29117
> >> | Num Match States : 2398
> >> | Memory           :   686.30Kbytes
> >> |   Patterns       :   88.38K
> >> |   Match Lists    :   135.42K
> >> |   Transitions    :   452.45K
> >> +-------------------------------------------------
> >>
> >>         --== Initialization Complete ==--
> >>
> >>    ,,_     -*> Snort! <*-
> >>   o"  )~   Version 2.8.0.1 (Build 72) inline
> >>    ''''    By Martin Roesch &
> The Snort
> >> Team: http://www.snort.org/team.html
> >>            (C) Copyright 1998-2007 Sourcefire
> Inc., et al.
> >>            Using PCRE version: 6.6 06-Feb-2006
> >>
> >> Not Using PCAP_FRAMES
> >>
> >>
> >> Please guide me how to resolve this problem.
> >>
> >> Thanks and Regards
> >>
> >> Shiva Raman
> >>
> >>
> -------------------------------------------------------------------------
> >> This SF.Net email is sponsored by the Moblin Your
> Move
> >> Developer's challenge
> >> Build the coolest Linux based applications with
> Moblin SDK
> >> & win great prizes
> >> Grand prize is a trip for two to an Open Source
> event
> >> anywhere in the world
> >>
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or
> unsubscribe:
> >>
> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >>
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> >
> -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move
> Developer's challenge
> > Build the coolest Linux based applications with Moblin
> SDK & win great
> > prizes
> > Grand prize is a trip for two to an Open Source event
> anywhere in the world
> >
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >


      




More information about the Snort-users mailing list