[Snort-users] one snort instance logging in at different databases

Joel Esler jesler at ...1935...
Wed Apr 22 10:57:48 EDT 2009


You can do this through custom alerting keywords.

http://www.snort.org/docs/snort_htmanuals/htmanual_284/node198.html

Or you can configure two DB outputs in Barnyard.

Joel

On Wed, Apr 22, 2009 at 10:39 AM, Pedro Marinho <pppmarinho at ...11827...>wrote:

> Hello Gentlemen,
>
> Is there a way to tell snort to log all signatures in one database and
> another signature that i 've created in another database? I mean a single
> instance of snort log all in one database and a specific rule that i´ve
> created in another database.
>
> 2009/4/22 <snort-users-request at lists.sourceforge.net>
>
>> Send Snort-users mailing list submissions to
>>        snort-users at lists.sourceforge.net
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>        https://lists.sourceforge.net/lists/listinfo/snort-users
>> or, via email, send a message with subject or body 'help' to
>>        snort-users-request at lists.sourceforge.net
>>
>> You can reach the person managing the list at
>>        snort-users-owner at lists.sourceforge.net
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Snort-users digest..."
>>
>>
>> Today's Topics:
>>
>>   1. Re: view alerts in base (Joel Esler)
>>   2. Re: view alerts in base (Joel Esler)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Wed, 22 Apr 2009 07:51:34 -0400
>> From: Joel Esler <jesler at ...1935...>
>> Subject: Re: [Snort-users] view alerts in base
>> To: David Kingsly <davidkingsly at ...3147...>
>> Cc: snort-users at lists.sourceforge.net, Lee Clemens
>>        <snort at ...13080...>
>> Message-ID:
>>        <314cf0830904220451v337a44d8i65e3146e60bfd5d8 at ...11828...>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> You have use "backticks" for the schema table.
>> select * from `schema`;
>>
>> Joel
>>
>> On Tue, Apr 21, 2009 at 9:40 PM, David Kingsly <davidkingsly at ...3147...
>> >wrote:
>>
>> > I can not do the query.  I see the table, but it does not work...
>> > mysql> show tables;
>> > +------------------+
>> > | Tables_in_snort  |
>> > +------------------+
>> > | acid_ag          |
>> > | acid_ag_alert    |
>> > | acid_event       |
>> > | acid_ip_cache    |
>> > | base_roles       |
>> > | base_users       |
>> > | data             |
>> > | detail           |
>> > | encoding         |
>> > | event            |
>> > | icmphdr          |
>> > | iphdr            |
>> > | opt              |
>> > | reference        |
>> > | reference_system |
>> > | schema           |
>> > | sensor           |
>> > | sig_class        |
>> > | sig_reference    |
>> > | signature        |
>> > | tcphdr           |
>> > | udphdr           |
>> > +------------------+
>> > 22 rows in set (0.00 sec)
>> >
>> > mysql> select * from 'schema';
>> > ERROR 1064 (42000): You have an error in your SQL syntax; check the
>> > manual that corresponds to your MySQL server version for the right
>> > syntax to use near ''schema'' at line 1
>> > mysql> select * from schema;
>> > ERROR 1064 (42000): You have an error in your SQL syntax; check the
>> > manual that corresponds to your MySQL server version for the right
>> > syntax to use near 'schema' at line 1
>> > mysql> select * from schema;
>> > ERROR 1064 (42000): You have an error in your SQL syntax; check the
>> > manual that corresponds to your MySQL server version for the right
>> > syntax to use near 'schema' at line 1
>> > mysql>
>> >
>> >
>> >
>> > On Mon, 2009-04-20 at 17:19 -0400, Lee Clemens wrote:
>> > > Can you send the output of
>> > >
>> > > select * from `schema`;
>> > >
>> > >
>> > > -----Original Message-----
>> > > From: David Kingsly [mailto:davidkingsly at ...3147...]
>> > > Sent: Sunday, April 19, 2009 10:45 PM
>> > > To: snort-users at lists.sourceforge.net
>> > > Subject: Re: [Snort-users] view alerts in base
>> > >
>> > > Just to add to this previous post.  I do not seem to have a sensor id
>> in
>> > > my table.  I saw some posts regarding this being the reason for alerts
>> > > not showing up in BASE:
>> > > mysql> show tables;
>> > > +------------------+
>> > > | Tables_in_snort  |
>> > > +------------------+
>> > > | acid_ag          |
>> > > | acid_ag_alert    |
>> > > | acid_event       |
>> > > | acid_ip_cache    |
>> > > | base_roles       |
>> > > | base_users       |
>> > > | data             |
>> > > | detail           |
>> > > | encoding         |
>> > > | event            |
>> > > | icmphdr          |
>> > > | iphdr            |
>> > > | opt              |
>> > > | reference        |
>> > > | reference_system |
>> > > | schema           |
>> > > | sensor           |
>> > > | sig_class        |
>> > > | sig_reference    |
>> > > | signature        |
>> > > | tcphdr           |
>> > > | udphdr           |
>> > > +------------------+
>> > > 22 rows in set (0.00 sec)
>> > >
>> > > mysql> select * from sensor;
>> > > Empty set (0.00 sec)
>> > >
>> > > I do however see alerts in the mysql database .
>> > >
>> > >
>> > > On Sun, 2009-04-19 at 13:27 -0400, David Kingsly wrote:
>> > > > Greetings-
>> > > >   I see alerts in mysql and in alerts folder in /var/logs/snort.
>>  But
>> > > > base page is blank. I checked mysql by logging in using the same
>> > > > account, and password, and I did select * on some tables.  But they
>> do
>> > > > not show up in Base.  Is there a log file I can look at?  How can
>> find
>> > > > out what is wrong please?  Here is some logs I suspect:
>> > > >
>> > > > daemon.log:Apr 19 10:47:08 thunder snort[21347]:     Target-based
>> > > > policy: WINDOWS
>> > > > daemon.log:Apr 19 10:47:14 thunder snort[21351]: database:
>> inconsistent
>> > > > cid information for sid=1
>> > > > daemon.log.0:Apr 12 12:04:26 thunder snort[20659]:     Target-based
>> > > > policy: WINDOWS
>> > > > daemon.log.0:Apr 12 12:11:02 thunder snort[20755]:     Target-based
>> > > > policy: WINDOWS
>> > > > daemon.log.0:Apr 12 12:13:04 thunder snort[20763]:     Target-based
>> > > > policy: WINDOWS
>> > > > daemon.log.0:Apr 12 12:13:41 thunder snort[20962]:     Target-based
>> > > > policy: WINDOWS
>> > > > daemon.log.0:Apr 12 15:23:24 thunder snort[29865]:     Target-based
>> > > > policy: WINDOWS
>> > > > daemon.log.0:Apr 16 20:58:11 thunder snort[5993]:     Target-based
>> > > > policy: WINDOWS
>> > > > daemon.log.0:Apr 16 20:58:18 thunder snort[5993]: database:
>> > inconsistent
>> > > > cid information for sid=1
>> > > > daemon.log.0:Apr 16 21:35:48 thunder snort[5967]:     Target-based
>> > > > policy: WINDOWS
>> > > > daemon.log.0:Apr 16 21:35:55 thunder snort[5967]: database:
>> > inconsistent
>> > > > cid information for sid=1
>> > > >
>> > > >
>> > > >
>> > > >
>> > >
>> >
>> ----------------------------------------------------------------------------
>> > > --
>> > > > Stay on top of everything new and different, both inside and
>> > > > around Java (TM) technology - register by April 22, and save
>> > > > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>> > > > 300 plus technical and hands-on sessions. Register today.
>> > > > Use priority code J9JMT32. http://p.sf.net/sfu/p
>> > > > _______________________________________________
>> > > > Snort-users mailing list
>> > > > Snort-users at lists.sourceforge.net
>> > > > Go to this URL to change user options or unsubscribe:
>> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > > > Snort-users list archive:
>> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> > > >
>> > > > #
>> > > > " This e-mail and any attached documents may contain confidential or
>> > > proprietary information. If you are not the intended recipient, please
>> > > advise the sender immediately and delete this e-mail and all attached
>> > > documents from your computer system. Any unauthorised disclosure,
>> > > distribution or copying hereof is prohibited."
>> > > >
>> > > >  " Ce courriel et les documents qui y sont attaches peuvent contenir
>> > des
>> > > informations confidentielles. Si vous n'etes  pas le destinataire
>> > escompte,
>> > > merci d'en informer l'expediteur immediatement et de detruire ce
>> courriel
>> > > ainsi que tous les documents attaches de votre systeme informatique.
>> > Toute
>> > > divulgation, distribution ou copie du present courriel et des
>> documents
>> > > attaches sans autorisation prealable de son emetteur est interdite."
>> > > > #
>> > >
>> > >
>> > >
>> >
>> ----------------------------------------------------------------------------
>> > > --
>> > > Stay on top of everything new and different, both inside and
>> > > around Java (TM) technology - register by April 22, and save
>> > > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>> > > 300 plus technical and hands-on sessions. Register today.
>> > > Use priority code J9JMT32. http://p.sf.net/sfu/p
>> > > _______________________________________________
>> > > Snort-users mailing list
>> > > Snort-users at lists.sourceforge.net
>> > > Go to this URL to change user options or unsubscribe:
>> > > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > > Snort-users list archive:
>> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> > >
>> > >
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Stay on top of everything new and different, both inside and
>> > around Java (TM) technology - register by April 22, and save
>> > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>> > 300 plus technical and hands-on sessions. Register today.
>> > Use priority code J9JMT32. http://p.sf.net/sfu/p
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>>
>>
>>
>> --
>> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Wed, 22 Apr 2009 07:52:32 -0400
>> From: Joel Esler <jesler at ...1935...>
>> Subject: Re: [Snort-users] view alerts in base
>> To: David Kingsly <davidkingsly at ...3147...>
>> Cc: snort-users at lists.sourceforge.net
>> Message-ID:
>>        <314cf0830904220452q1b1926a8m5e4cea8cf2c97d91 at ...11828...>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> You should be using BASE.  ACID is dead.  Been dead for at least 5 years.
>> J
>>
>> On Tue, Apr 21, 2009 at 9:45 PM, David Kingsly <davidkingsly at ...3147...
>> >wrote:
>>
>> > So even though I see alerts in mysql, the issue is between snort 2.8.4
>> > and mysql?  Not between BASE and mysql?  From looking at my tables
>> > before I installed BASE, and after I see that BASE added some items.  I
>> > just don't get why alerts are not collected.  I'll look at barnyard
>> > documentation. Thank you.  I do not have ACID installed. The procedures
>> > that I am following on Ubuntu do not call for it.
>> >
>> > On Mon, 2009-04-20 at 17:44 -0400, John Gay wrote:
>> > > If you are using the database output plugin with Snort 2.8.4 there is
>> > > a known issue. A patch was posted the other week. Try using unified
>> > > output and something like barnyard to write to the db.
>> > >
>> > > John
>> > >
>> > >         On Apr 19, 2009 11:40 AM, "David Kingsly"
>> > >         <davidkingsly at ...3147...> wrote:
>> > >
>> > >         Greetings-
>> > >          I see alerts in mysql and in alerts folder
>> > >         in /var/logs/snort.  But
>> > >         base page is blank. I checked mysql by logging in using the
>> > >         same
>> > >         account, and password, and I did select * on some tables.  But
>> > >         they do
>> > >         not show up in Base.  Is there a log file I can look at?  How
>> > >         can find
>> > >         out what is wrong please?  Here is some logs I suspect:
>> > >
>> > >         daemon.log:Apr 19 10:47:08 thunder snort[21347]:
>> > >         Target-based
>> > >         policy: WINDOWS
>> > >         daemon.log:Apr 19 10:47:14 thunder snort[21351]: database:
>> > >         inconsistent
>> > >         cid information for sid=1
>> > >         daemon.log.0:Apr 12 12:04:26 thunder snort[20659]:
>> > >         Target-based
>> > >         policy: WINDOWS
>> > >         daemon.log.0:Apr 12 12:11:02 thunder snort[20755]:
>> > >         Target-based
>> > >         policy: WINDOWS
>> > >         daemon.log.0:Apr 12 12:13:04 thunder snort[20763]:
>> > >         Target-based
>> > >         policy: WINDOWS
>> > >         daemon.log.0:Apr 12 12:13:41 thunder snort[20962]:
>> > >         Target-based
>> > >         policy: WINDOWS
>> > >         daemon.log.0:Apr 12 15:23:24 thunder snort[29865]:
>> > >         Target-based
>> > >         policy: WINDOWS
>> > >         daemon.log.0:Apr 16 20:58:11 thunder snort[5993]:
>> > >         Target-based
>> > >         policy: WINDOWS
>> > >         daemon.log.0:Apr 16 20:58:18 thunder snort[5993]: database:
>> > >         inconsistent
>> > >         cid information for sid=1
>> > >         daemon.log.0:Apr 16 21:35:48 thunder snort[5967]:
>> > >         Target-based
>> > >         policy: WINDOWS
>> > >         daemon.log.0:Apr 16 21:35:55 thunder snort[5967]: database:
>> > >         inconsistent
>> > >         cid information for sid=1
>> > >
>> > >
>> > >
>> > >
>> >
>> ------------------------------------------------------------------------------
>> > >         Stay on top of everything new and different, both inside and
>> > >         around Java (TM) technology - register by April 22, and save
>> > >         $200 on the JavaOne (SM) conference, June 2-5, 2009, San
>> > >         Francisco.
>> > >         300 plus technical and hands-on sessions. Register today.
>> > >         Use priority code J9JMT32. http://p.sf.net/sfu/p
>> > >         _______________________________________________
>> > >         Snort-users mailing list
>> > >         Snort-users at lists.sourceforge.net
>> > >         Go to this URL to change user options or unsubscribe:
>> > >         https://lists.sourceforge.net/lists/listinfo/snort-users
>> > >         Snort-users list archive:
>> > >         http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> > >
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Stay on top of everything new and different, both inside and
>> > around Java (TM) technology - register by April 22, and save
>> > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>> > 300 plus technical and hands-on sessions. Register today.
>> > Use priority code J9JMT32. http://p.sf.net/sfu/p
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>>
>>
>>
>> --
>> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>>
>> ------------------------------------------------------------------------------
>> Stay on top of everything new and different, both inside and
>> around Java (TM) technology - register by April 22, and save
>> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>> 300 plus technical and hands-on sessions. Register today.
>> Use priority code J9JMT32. http://p.sf.net/sfu/p
>>
>> ------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>
>>
>> End of Snort-users Digest, Vol 35, Issue 51
>> *******************************************
>>
>
>
>
> ------------------------------------------------------------------------------
> Stay on top of everything new and different, both inside and
> around Java (TM) technology - register by April 22, and save
> $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
> 300 plus technical and hands-on sessions. Register today.
> Use priority code J9JMT32. http://p.sf.net/sfu/p
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974 |
http://twitter.com/joelesler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090422/f9cc0287/attachment.html>


More information about the Snort-users mailing list