[Snort-users] Snort PCAP FRAMES Query

Michael Sloan sloan at ...14851...
Fri Apr 30 12:01:35 EDT 2010


I'm still having fits with my Snort/Barnyard2/BASE/mySQL installation 
under SUSE Linux Enterprise 11, and decided to recompile Snort with 
--with-mysql --with-mysql-libraries=/usr/lib/mysql -- with 
mysql-includes=/usr/include/mysql to see if possibly some of my issues 
might go away -

Things like only seeing SSH Protocol Mismatch as the only reported error 
(I cleared the records in BASE before starting with the newly compiled 
snort binary) and links to information at snortid.com not even being in 
the format used at that site. I see an entry of the form 128-4, whereas 
snortid.com uses a X:YYYY format.

Using Snort 2.8.5.3, BASE-1.4.5, and Barnyard2-1.8...

What I noticed in the logs when I started snort is  Not using PCAP 
FRAMES. Would this account for why attempting to drill down and look at 
the packet information displayed an error? If so, where is this enabled?

I start snort with the following command line:

/usr/local/bin/snort -i eth0 -c /etc/snort/snort.conf -d -D -u snort

My output line in snort.conf is:

output unified2: filename snort.log, limit 128

And my barnyard2.conf output line is:
output database: alert, mysql, user=snort password=WildlySecretPassword 
dbname=snort host=localhost

mySQL seems to be set up correctly, with 16+ tables in the snort 
database and the user snort at ...274... being able to authenticate to the 
database.

I'm not sure where to go next in dealing with these problems. Any 
suggestions or recommendations would be greatly appreciated.

-- 
Michael Sloan
Systems Administrator
FSU Center for Advanced Power Systems
sloan at ...14851...





More information about the Snort-users mailing list