[Snort-users] one snort instance logging in at different databases

Pedro Marinho pppmarinho at ...11827...
Wed Apr 22 10:39:50 EDT 2009


Hello Gentlemen,

Is there a way to tell snort to log all signatures in one database and
another signature that i 've created in another database? I mean a single
instance of snort log all in one database and a specific rule that i´ve
created in another database.

2009/4/22 <snort-users-request at lists.sourceforge.net>

> Send Snort-users mailing list submissions to
>        snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>        snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>        snort-users-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> Today's Topics:
>
>   1. Re: view alerts in base (Joel Esler)
>   2. Re: view alerts in base (Joel Esler)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 22 Apr 2009 07:51:34 -0400
> From: Joel Esler <jesler at ...1935...>
> Subject: Re: [Snort-users] view alerts in base
> To: David Kingsly <davidkingsly at ...3147...>
> Cc: snort-users at lists.sourceforge.net, Lee Clemens
>        <snort at ...13080...>
> Message-ID:
>        <314cf0830904220451v337a44d8i65e3146e60bfd5d8 at ...11828...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> You have use "backticks" for the schema table.
> select * from `schema`;
>
> Joel
>
> On Tue, Apr 21, 2009 at 9:40 PM, David Kingsly <davidkingsly at ...3147...
> >wrote:
>
> > I can not do the query.  I see the table, but it does not work...
> > mysql> show tables;
> > +------------------+
> > | Tables_in_snort  |
> > +------------------+
> > | acid_ag          |
> > | acid_ag_alert    |
> > | acid_event       |
> > | acid_ip_cache    |
> > | base_roles       |
> > | base_users       |
> > | data             |
> > | detail           |
> > | encoding         |
> > | event            |
> > | icmphdr          |
> > | iphdr            |
> > | opt              |
> > | reference        |
> > | reference_system |
> > | schema           |
> > | sensor           |
> > | sig_class        |
> > | sig_reference    |
> > | signature        |
> > | tcphdr           |
> > | udphdr           |
> > +------------------+
> > 22 rows in set (0.00 sec)
> >
> > mysql> select * from 'schema';
> > ERROR 1064 (42000): You have an error in your SQL syntax; check the
> > manual that corresponds to your MySQL server version for the right
> > syntax to use near ''schema'' at line 1
> > mysql> select * from schema;
> > ERROR 1064 (42000): You have an error in your SQL syntax; check the
> > manual that corresponds to your MySQL server version for the right
> > syntax to use near 'schema' at line 1
> > mysql> select * from schema;
> > ERROR 1064 (42000): You have an error in your SQL syntax; check the
> > manual that corresponds to your MySQL server version for the right
> > syntax to use near 'schema' at line 1
> > mysql>
> >
> >
> >
> > On Mon, 2009-04-20 at 17:19 -0400, Lee Clemens wrote:
> > > Can you send the output of
> > >
> > > select * from `schema`;
> > >
> > >
> > > -----Original Message-----
> > > From: David Kingsly [mailto:davidkingsly at ...3147...]
> > > Sent: Sunday, April 19, 2009 10:45 PM
> > > To: snort-users at lists.sourceforge.net
> > > Subject: Re: [Snort-users] view alerts in base
> > >
> > > Just to add to this previous post.  I do not seem to have a sensor id
> in
> > > my table.  I saw some posts regarding this being the reason for alerts
> > > not showing up in BASE:
> > > mysql> show tables;
> > > +------------------+
> > > | Tables_in_snort  |
> > > +------------------+
> > > | acid_ag          |
> > > | acid_ag_alert    |
> > > | acid_event       |
> > > | acid_ip_cache    |
> > > | base_roles       |
> > > | base_users       |
> > > | data             |
> > > | detail           |
> > > | encoding         |
> > > | event            |
> > > | icmphdr          |
> > > | iphdr            |
> > > | opt              |
> > > | reference        |
> > > | reference_system |
> > > | schema           |
> > > | sensor           |
> > > | sig_class        |
> > > | sig_reference    |
> > > | signature        |
> > > | tcphdr           |
> > > | udphdr           |
> > > +------------------+
> > > 22 rows in set (0.00 sec)
> > >
> > > mysql> select * from sensor;
> > > Empty set (0.00 sec)
> > >
> > > I do however see alerts in the mysql database .
> > >
> > >
> > > On Sun, 2009-04-19 at 13:27 -0400, David Kingsly wrote:
> > > > Greetings-
> > > >   I see alerts in mysql and in alerts folder in /var/logs/snort.  But
> > > > base page is blank. I checked mysql by logging in using the same
> > > > account, and password, and I did select * on some tables.  But they
> do
> > > > not show up in Base.  Is there a log file I can look at?  How can
> find
> > > > out what is wrong please?  Here is some logs I suspect:
> > > >
> > > > daemon.log:Apr 19 10:47:08 thunder snort[21347]:     Target-based
> > > > policy: WINDOWS
> > > > daemon.log:Apr 19 10:47:14 thunder snort[21351]: database:
> inconsistent
> > > > cid information for sid=1
> > > > daemon.log.0:Apr 12 12:04:26 thunder snort[20659]:     Target-based
> > > > policy: WINDOWS
> > > > daemon.log.0:Apr 12 12:11:02 thunder snort[20755]:     Target-based
> > > > policy: WINDOWS
> > > > daemon.log.0:Apr 12 12:13:04 thunder snort[20763]:     Target-based
> > > > policy: WINDOWS
> > > > daemon.log.0:Apr 12 12:13:41 thunder snort[20962]:     Target-based
> > > > policy: WINDOWS
> > > > daemon.log.0:Apr 12 15:23:24 thunder snort[29865]:     Target-based
> > > > policy: WINDOWS
> > > > daemon.log.0:Apr 16 20:58:11 thunder snort[5993]:     Target-based
> > > > policy: WINDOWS
> > > > daemon.log.0:Apr 16 20:58:18 thunder snort[5993]: database:
> > inconsistent
> > > > cid information for sid=1
> > > > daemon.log.0:Apr 16 21:35:48 thunder snort[5967]:     Target-based
> > > > policy: WINDOWS
> > > > daemon.log.0:Apr 16 21:35:55 thunder snort[5967]: database:
> > inconsistent
> > > > cid information for sid=1
> > > >
> > > >
> > > >
> > > >
> > >
> >
> ----------------------------------------------------------------------------
> > > --
> > > > Stay on top of everything new and different, both inside and
> > > > around Java (TM) technology - register by April 22, and save
> > > > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> > > > 300 plus technical and hands-on sessions. Register today.
> > > > Use priority code J9JMT32. http://p.sf.net/sfu/p
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > > > #
> > > > " This e-mail and any attached documents may contain confidential or
> > > proprietary information. If you are not the intended recipient, please
> > > advise the sender immediately and delete this e-mail and all attached
> > > documents from your computer system. Any unauthorised disclosure,
> > > distribution or copying hereof is prohibited."
> > > >
> > > >  " Ce courriel et les documents qui y sont attaches peuvent contenir
> > des
> > > informations confidentielles. Si vous n'etes  pas le destinataire
> > escompte,
> > > merci d'en informer l'expediteur immediatement et de detruire ce
> courriel
> > > ainsi que tous les documents attaches de votre systeme informatique.
> > Toute
> > > divulgation, distribution ou copie du present courriel et des documents
> > > attaches sans autorisation prealable de son emetteur est interdite."
> > > > #
> > >
> > >
> > >
> >
> ----------------------------------------------------------------------------
> > > --
> > > Stay on top of everything new and different, both inside and
> > > around Java (TM) technology - register by April 22, and save
> > > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> > > 300 plus technical and hands-on sessions. Register today.
> > > Use priority code J9JMT32. http://p.sf.net/sfu/p
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Stay on top of everything new and different, both inside and
> > around Java (TM) technology - register by April 22, and save
> > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> > 300 plus technical and hands-on sessions. Register today.
> > Use priority code J9JMT32. http://p.sf.net/sfu/p
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
> --
> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Wed, 22 Apr 2009 07:52:32 -0400
> From: Joel Esler <jesler at ...1935...>
> Subject: Re: [Snort-users] view alerts in base
> To: David Kingsly <davidkingsly at ...3147...>
> Cc: snort-users at lists.sourceforge.net
> Message-ID:
>        <314cf0830904220452q1b1926a8m5e4cea8cf2c97d91 at ...11828...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> You should be using BASE.  ACID is dead.  Been dead for at least 5 years.
> J
>
> On Tue, Apr 21, 2009 at 9:45 PM, David Kingsly <davidkingsly at ...3147...
> >wrote:
>
> > So even though I see alerts in mysql, the issue is between snort 2.8.4
> > and mysql?  Not between BASE and mysql?  From looking at my tables
> > before I installed BASE, and after I see that BASE added some items.  I
> > just don't get why alerts are not collected.  I'll look at barnyard
> > documentation. Thank you.  I do not have ACID installed. The procedures
> > that I am following on Ubuntu do not call for it.
> >
> > On Mon, 2009-04-20 at 17:44 -0400, John Gay wrote:
> > > If you are using the database output plugin with Snort 2.8.4 there is
> > > a known issue. A patch was posted the other week. Try using unified
> > > output and something like barnyard to write to the db.
> > >
> > > John
> > >
> > >         On Apr 19, 2009 11:40 AM, "David Kingsly"
> > >         <davidkingsly at ...3147...> wrote:
> > >
> > >         Greetings-
> > >          I see alerts in mysql and in alerts folder
> > >         in /var/logs/snort.  But
> > >         base page is blank. I checked mysql by logging in using the
> > >         same
> > >         account, and password, and I did select * on some tables.  But
> > >         they do
> > >         not show up in Base.  Is there a log file I can look at?  How
> > >         can find
> > >         out what is wrong please?  Here is some logs I suspect:
> > >
> > >         daemon.log:Apr 19 10:47:08 thunder snort[21347]:
> > >         Target-based
> > >         policy: WINDOWS
> > >         daemon.log:Apr 19 10:47:14 thunder snort[21351]: database:
> > >         inconsistent
> > >         cid information for sid=1
> > >         daemon.log.0:Apr 12 12:04:26 thunder snort[20659]:
> > >         Target-based
> > >         policy: WINDOWS
> > >         daemon.log.0:Apr 12 12:11:02 thunder snort[20755]:
> > >         Target-based
> > >         policy: WINDOWS
> > >         daemon.log.0:Apr 12 12:13:04 thunder snort[20763]:
> > >         Target-based
> > >         policy: WINDOWS
> > >         daemon.log.0:Apr 12 12:13:41 thunder snort[20962]:
> > >         Target-based
> > >         policy: WINDOWS
> > >         daemon.log.0:Apr 12 15:23:24 thunder snort[29865]:
> > >         Target-based
> > >         policy: WINDOWS
> > >         daemon.log.0:Apr 16 20:58:11 thunder snort[5993]:
> > >         Target-based
> > >         policy: WINDOWS
> > >         daemon.log.0:Apr 16 20:58:18 thunder snort[5993]: database:
> > >         inconsistent
> > >         cid information for sid=1
> > >         daemon.log.0:Apr 16 21:35:48 thunder snort[5967]:
> > >         Target-based
> > >         policy: WINDOWS
> > >         daemon.log.0:Apr 16 21:35:55 thunder snort[5967]: database:
> > >         inconsistent
> > >         cid information for sid=1
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------------
> > >         Stay on top of everything new and different, both inside and
> > >         around Java (TM) technology - register by April 22, and save
> > >         $200 on the JavaOne (SM) conference, June 2-5, 2009, San
> > >         Francisco.
> > >         300 plus technical and hands-on sessions. Register today.
> > >         Use priority code J9JMT32. http://p.sf.net/sfu/p
> > >         _______________________________________________
> > >         Snort-users mailing list
> > >         Snort-users at lists.sourceforge.net
> > >         Go to this URL to change user options or unsubscribe:
> > >         https://lists.sourceforge.net/lists/listinfo/snort-users
> > >         Snort-users list archive:
> > >         http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Stay on top of everything new and different, both inside and
> > around Java (TM) technology - register by April 22, and save
> > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> > 300 plus technical and hands-on sessions. Register today.
> > Use priority code J9JMT32. http://p.sf.net/sfu/p
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
> --
> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> Stay on top of everything new and different, both inside and
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today.
> Use priority code J9JMT32. http://p.sf.net/sfu/p
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 35, Issue 51
> *******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090422/ac141f38/attachment.html>


More information about the Snort-users mailing list