[Snort-users] one snort instance logging in at different databases

Pedro Marinho pppmarinho at ...11827...
Wed Apr 22 11:00:48 EDT 2009


Thanks Joel

2009/4/22 Joel Esler <jesler at ...1935...>

> You can do this through custom alerting keywords.
>
> http://www.snort.org/docs/snort_htmanuals/htmanual_284/node198.html
>
> Or you can configure two DB outputs in Barnyard.
>
> Joel
>
>
> On Wed, Apr 22, 2009 at 10:39 AM, Pedro Marinho <pppmarinho at ...11827...>wrote:
>
>> Hello Gentlemen,
>>
>> Is there a way to tell snort to log all signatures in one database and
>> another signature that i 've created in another database? I mean a single
>> instance of snort log all in one database and a specific rule that i´ve
>> created in another database.
>>
>> 2009/4/22 <snort-users-request at lists.sourceforge.net>
>>
>>> Send Snort-users mailing list submissions to
>>>        snort-users at lists.sourceforge.net
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>        https://lists.sourceforge.net/lists/listinfo/snort-users
>>> or, via email, send a message with subject or body 'help' to
>>>        snort-users-request at lists.sourceforge.net
>>>
>>> You can reach the person managing the list at
>>>        snort-users-owner at lists.sourceforge.net
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of Snort-users digest..."
>>>
>>>
>>> Today's Topics:
>>>
>>>   1. Re: view alerts in base (Joel Esler)
>>>   2. Re: view alerts in base (Joel Esler)
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Wed, 22 Apr 2009 07:51:34 -0400
>>> From: Joel Esler <jesler at ...1935...>
>>> Subject: Re: [Snort-users] view alerts in base
>>> To: David Kingsly <davidkingsly at ...3147...>
>>> Cc: snort-users at lists.sourceforge.net, Lee Clemens
>>>        <snort at ...13080...>
>>> Message-ID:
>>>        <314cf0830904220451v337a44d8i65e3146e60bfd5d8 at ...11828...>
>>> Content-Type: text/plain; charset="iso-8859-1"
>>>
>>> You have use "backticks" for the schema table.
>>> select * from `schema`;
>>>
>>> Joel
>>>
>>> On Tue, Apr 21, 2009 at 9:40 PM, David Kingsly <davidkingsly at ...3147...
>>> >wrote:
>>>
>>> > I can not do the query.  I see the table, but it does not work...
>>> > mysql> show tables;
>>> > +------------------+
>>> > | Tables_in_snort  |
>>> > +------------------+
>>> > | acid_ag          |
>>> > | acid_ag_alert    |
>>> > | acid_event       |
>>> > | acid_ip_cache    |
>>> > | base_roles       |
>>> > | base_users       |
>>> > | data             |
>>> > | detail           |
>>> > | encoding         |
>>> > | event            |
>>> > | icmphdr          |
>>> > | iphdr            |
>>> > | opt              |
>>> > | reference        |
>>> > | reference_system |
>>> > | schema           |
>>> > | sensor           |
>>> > | sig_class        |
>>> > | sig_reference    |
>>> > | signature        |
>>> > | tcphdr           |
>>> > | udphdr           |
>>> > +------------------+
>>> > 22 rows in set (0.00 sec)
>>> >
>>> > mysql> select * from 'schema';
>>> > ERROR 1064 (42000): You have an error in your SQL syntax; check the
>>> > manual that corresponds to your MySQL server version for the right
>>> > syntax to use near ''schema'' at line 1
>>> > mysql> select * from schema;
>>> > ERROR 1064 (42000): You have an error in your SQL syntax; check the
>>> > manual that corresponds to your MySQL server version for the right
>>> > syntax to use near 'schema' at line 1
>>> > mysql> select * from schema;
>>> > ERROR 1064 (42000): You have an error in your SQL syntax; check the
>>> > manual that corresponds to your MySQL server version for the right
>>> > syntax to use near 'schema' at line 1
>>> > mysql>
>>> >
>>> >
>>> >
>>> > On Mon, 2009-04-20 at 17:19 -0400, Lee Clemens wrote:
>>> > > Can you send the output of
>>> > >
>>> > > select * from `schema`;
>>> > >
>>> > >
>>> > > -----Original Message-----
>>> > > From: David Kingsly [mailto:davidkingsly at ...3147...]
>>> > > Sent: Sunday, April 19, 2009 10:45 PM
>>> > > To: snort-users at lists.sourceforge.net
>>> > > Subject: Re: [Snort-users] view alerts in base
>>> > >
>>> > > Just to add to this previous post.  I do not seem to have a sensor id
>>> in
>>> > > my table.  I saw some posts regarding this being the reason for
>>> alerts
>>> > > not showing up in BASE:
>>> > > mysql> show tables;
>>> > > +------------------+
>>> > > | Tables_in_snort  |
>>> > > +------------------+
>>> > > | acid_ag          |
>>> > > | acid_ag_alert    |
>>> > > | acid_event       |
>>> > > | acid_ip_cache    |
>>> > > | base_roles       |
>>> > > | base_users       |
>>> > > | data             |
>>> > > | detail           |
>>> > > | encoding         |
>>> > > | event            |
>>> > > | icmphdr          |
>>> > > | iphdr            |
>>> > > | opt              |
>>> > > | reference        |
>>> > > | reference_system |
>>> > > | schema           |
>>> > > | sensor           |
>>> > > | sig_class        |
>>> > > | sig_reference    |
>>> > > | signature        |
>>> > > | tcphdr           |
>>> > > | udphdr           |
>>> > > +------------------+
>>> > > 22 rows in set (0.00 sec)
>>> > >
>>> > > mysql> select * from sensor;
>>> > > Empty set (0.00 sec)
>>> > >
>>> > > I do however see alerts in the mysql database .
>>> > >
>>> > >
>>> > > On Sun, 2009-04-19 at 13:27 -0400, David Kingsly wrote:
>>> > > > Greetings-
>>> > > >   I see alerts in mysql and in alerts folder in /var/logs/snort.
>>>  But
>>> > > > base page is blank. I checked mysql by logging in using the same
>>> > > > account, and password, and I did select * on some tables.  But they
>>> do
>>> > > > not show up in Base.  Is there a log file I can look at?  How can
>>> find
>>> > > > out what is wrong please?  Here is some logs I suspect:
>>> > > >
>>> > > > daemon.log:Apr 19 10:47:08 thunder snort[21347]:     Target-based
>>> > > > policy: WINDOWS
>>> > > > daemon.log:Apr 19 10:47:14 thunder snort[21351]: database:
>>> inconsistent
>>> > > > cid information for sid=1
>>> > > > daemon.log.0:Apr 12 12:04:26 thunder snort[20659]:     Target-based
>>> > > > policy: WINDOWS
>>> > > > daemon.log.0:Apr 12 12:11:02 thunder snort[20755]:     Target-based
>>> > > > policy: WINDOWS
>>> > > > daemon.log.0:Apr 12 12:13:04 thunder snort[20763]:     Target-based
>>> > > > policy: WINDOWS
>>> > > > daemon.log.0:Apr 12 12:13:41 thunder snort[20962]:     Target-based
>>> > > > policy: WINDOWS
>>> > > > daemon.log.0:Apr 12 15:23:24 thunder snort[29865]:     Target-based
>>> > > > policy: WINDOWS
>>> > > > daemon.log.0:Apr 16 20:58:11 thunder snort[5993]:     Target-based
>>> > > > policy: WINDOWS
>>> > > > daemon.log.0:Apr 16 20:58:18 thunder snort[5993]: database:
>>> > inconsistent
>>> > > > cid information for sid=1
>>> > > > daemon.log.0:Apr 16 21:35:48 thunder snort[5967]:     Target-based
>>> > > > policy: WINDOWS
>>> > > > daemon.log.0:Apr 16 21:35:55 thunder snort[5967]: database:
>>> > inconsistent
>>> > > > cid information for sid=1
>>> > > >
>>> > > >
>>> > > >
>>> > > >
>>> > >
>>> >
>>> ----------------------------------------------------------------------------
>>> > > --
>>> > > > Stay on top of everything new and different, both inside and
>>> > > > around Java (TM) technology - register by April 22, and save
>>> > > > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>>> > > > 300 plus technical and hands-on sessions. Register today.
>>> > > > Use priority code J9JMT32. http://p.sf.net/sfu/p
>>> > > > _______________________________________________
>>> > > > Snort-users mailing list
>>> > > > Snort-users at lists.sourceforge.net
>>> > > > Go to this URL to change user options or unsubscribe:
>>> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
>>> > > > Snort-users list archive:
>>> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> > > >
>>> > > > #
>>> > > > " This e-mail and any attached documents may contain confidential
>>> or
>>> > > proprietary information. If you are not the intended recipient,
>>> please
>>> > > advise the sender immediately and delete this e-mail and all attached
>>> > > documents from your computer system. Any unauthorised disclosure,
>>> > > distribution or copying hereof is prohibited."
>>> > > >
>>> > > >  " Ce courriel et les documents qui y sont attaches peuvent
>>> contenir
>>> > des
>>> > > informations confidentielles. Si vous n'etes  pas le destinataire
>>> > escompte,
>>> > > merci d'en informer l'expediteur immediatement et de detruire ce
>>> courriel
>>> > > ainsi que tous les documents attaches de votre systeme informatique.
>>> > Toute
>>> > > divulgation, distribution ou copie du present courriel et des
>>> documents
>>> > > attaches sans autorisation prealable de son emetteur est interdite."
>>> > > > #
>>> > >
>>> > >
>>> > >
>>> >
>>> ----------------------------------------------------------------------------
>>> > > --
>>> > > Stay on top of everything new and different, both inside and
>>> > > around Java (TM) technology - register by April 22, and save
>>> > > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>>> > > 300 plus technical and hands-on sessions. Register today.
>>> > > Use priority code J9JMT32. http://p.sf.net/sfu/p
>>> > > _______________________________________________
>>> > > Snort-users mailing list
>>> > > Snort-users at lists.sourceforge.net
>>> > > Go to this URL to change user options or unsubscribe:
>>> > > https://lists.sourceforge.net/lists/listinfo/snort-users
>>> > > Snort-users list archive:
>>> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> > >
>>> > >
>>> >
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > Stay on top of everything new and different, both inside and
>>> > around Java (TM) technology - register by April 22, and save
>>> > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>>> > 300 plus technical and hands-on sessions. Register today.
>>> > Use priority code J9JMT32. http://p.sf.net/sfu/p
>>> > _______________________________________________
>>> > Snort-users mailing list
>>> > Snort-users at lists.sourceforge.net
>>> > Go to this URL to change user options or unsubscribe:
>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>> > Snort-users list archive:
>>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> >
>>>
>>>
>>>
>>> --
>>> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>>
>>> ------------------------------
>>>
>>> Message: 2
>>> Date: Wed, 22 Apr 2009 07:52:32 -0400
>>> From: Joel Esler <jesler at ...1935...>
>>> Subject: Re: [Snort-users] view alerts in base
>>> To: David Kingsly <davidkingsly at ...3147...>
>>> Cc: snort-users at lists.sourceforge.net
>>> Message-ID:
>>>        <314cf0830904220452q1b1926a8m5e4cea8cf2c97d91 at ...11828...>
>>> Content-Type: text/plain; charset="iso-8859-1"
>>>
>>> You should be using BASE.  ACID is dead.  Been dead for at least 5 years.
>>> J
>>>
>>> On Tue, Apr 21, 2009 at 9:45 PM, David Kingsly <davidkingsly at ...3147...
>>> >wrote:
>>>
>>> > So even though I see alerts in mysql, the issue is between snort 2.8.4
>>> > and mysql?  Not between BASE and mysql?  From looking at my tables
>>> > before I installed BASE, and after I see that BASE added some items.  I
>>> > just don't get why alerts are not collected.  I'll look at barnyard
>>> > documentation. Thank you.  I do not have ACID installed. The procedures
>>> > that I am following on Ubuntu do not call for it.
>>> >
>>> > On Mon, 2009-04-20 at 17:44 -0400, John Gay wrote:
>>> > > If you are using the database output plugin with Snort 2.8.4 there is
>>> > > a known issue. A patch was posted the other week. Try using unified
>>> > > output and something like barnyard to write to the db.
>>> > >
>>> > > John
>>> > >
>>> > >         On Apr 19, 2009 11:40 AM, "David Kingsly"
>>> > >         <davidkingsly at ...3147...> wrote:
>>> > >
>>> > >         Greetings-
>>> > >          I see alerts in mysql and in alerts folder
>>> > >         in /var/logs/snort.  But
>>> > >         base page is blank. I checked mysql by logging in using the
>>> > >         same
>>> > >         account, and password, and I did select * on some tables.
>>>  But
>>> > >         they do
>>> > >         not show up in Base.  Is there a log file I can look at?  How
>>> > >         can find
>>> > >         out what is wrong please?  Here is some logs I suspect:
>>> > >
>>> > >         daemon.log:Apr 19 10:47:08 thunder snort[21347]:
>>> > >         Target-based
>>> > >         policy: WINDOWS
>>> > >         daemon.log:Apr 19 10:47:14 thunder snort[21351]: database:
>>> > >         inconsistent
>>> > >         cid information for sid=1
>>> > >         daemon.log.0:Apr 12 12:04:26 thunder snort[20659]:
>>> > >         Target-based
>>> > >         policy: WINDOWS
>>> > >         daemon.log.0:Apr 12 12:11:02 thunder snort[20755]:
>>> > >         Target-based
>>> > >         policy: WINDOWS
>>> > >         daemon.log.0:Apr 12 12:13:04 thunder snort[20763]:
>>> > >         Target-based
>>> > >         policy: WINDOWS
>>> > >         daemon.log.0:Apr 12 12:13:41 thunder snort[20962]:
>>> > >         Target-based
>>> > >         policy: WINDOWS
>>> > >         daemon.log.0:Apr 12 15:23:24 thunder snort[29865]:
>>> > >         Target-based
>>> > >         policy: WINDOWS
>>> > >         daemon.log.0:Apr 16 20:58:11 thunder snort[5993]:
>>> > >         Target-based
>>> > >         policy: WINDOWS
>>> > >         daemon.log.0:Apr 16 20:58:18 thunder snort[5993]: database:
>>> > >         inconsistent
>>> > >         cid information for sid=1
>>> > >         daemon.log.0:Apr 16 21:35:48 thunder snort[5967]:
>>> > >         Target-based
>>> > >         policy: WINDOWS
>>> > >         daemon.log.0:Apr 16 21:35:55 thunder snort[5967]: database:
>>> > >         inconsistent
>>> > >         cid information for sid=1
>>> > >
>>> > >
>>> > >
>>> > >
>>> >
>>> ------------------------------------------------------------------------------
>>> > >         Stay on top of everything new and different, both inside and
>>> > >         around Java (TM) technology - register by April 22, and save
>>> > >         $200 on the JavaOne (SM) conference, June 2-5, 2009, San
>>> > >         Francisco.
>>> > >         300 plus technical and hands-on sessions. Register today.
>>> > >         Use priority code J9JMT32. http://p.sf.net/sfu/p
>>> > >         _______________________________________________
>>> > >         Snort-users mailing list
>>> > >         Snort-users at lists.sourceforge.net
>>> > >         Go to this URL to change user options or unsubscribe:
>>> > >         https://lists.sourceforge.net/lists/listinfo/snort-users
>>> > >         Snort-users list archive:
>>> > >         http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> > >
>>> >
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> > Stay on top of everything new and different, both inside and
>>> > around Java (TM) technology - register by April 22, and save
>>> > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>>> > 300 plus technical and hands-on sessions. Register today.
>>> > Use priority code J9JMT32. http://p.sf.net/sfu/p
>>> > _______________________________________________
>>> > Snort-users mailing list
>>> > Snort-users at lists.sourceforge.net
>>> > Go to this URL to change user options or unsubscribe:
>>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>>> > Snort-users list archive:
>>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> >
>>>
>>>
>>>
>>> --
>>> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>>
>>> ------------------------------
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Stay on top of everything new and different, both inside and
>>> around Java (TM) technology - register by April 22, and save
>>> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>>> 300 plus technical and hands-on sessions. Register today.
>>> Use priority code J9JMT32. http://p.sf.net/sfu/p
>>>
>>> ------------------------------
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>
>>>
>>> End of Snort-users Digest, Vol 35, Issue 51
>>> *******************************************
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Stay on top of everything new and different, both inside and
>> around Java (TM) technology - register by April 22, and save
>> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>> 300 plus technical and hands-on sessions. Register today.
>> Use priority code J9JMT32. http://p.sf.net/sfu/p
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
> --
> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974 |
> http://twitter.com/joelesler
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090422/1eb5b664/attachment.html>


More information about the Snort-users mailing list