Snort mailing list archives
RE: RE: MySQL on Another Server (#2)
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Wed, 27 Nov 2002 17:54:30 -0500
I'm using Snort 1.8.6 w/ WinPCap 2.02 on a dual PIII NT 4.0 computer. And yes, I know WinPCap is not supported on SMP platforms, and yes, Snort 1.8.7+ is better, but WinPCap 2.3 will not run on my SMP server w/o disabling one processor, which I'm not willing to do. So, it's Snort 1.8.6 and WinPCap 2.02. It's been working fine up until I started logging to a MySQL database on another computer. I was using IDScenter and the "-A fast" command line to launch Snort w/o using any output plugins in the snort.conf file. I've since removed the "-A" command line parameter and started using the following options in my snort.conf file: output alert_fast: alert.ids output database: log, Mysql, ... [snip] I am getting data logged to the MySQL database, and the alert.ids file is being populated (which IDScenter monitors for changes so that it can generate e-mail messages). The weirdness is that that some of the output being written to the alert.ids file is now corrupt. For example: 11/24/02-07:16:22.396742 [**] [1:1256:6] WEB-IIS CodeRed v2 root.exe access [**] [Classification: X² Attack³] [Priority: 1] {TCP} 217.229.243.2:4300 -> xxx.xxx.xxx.xxx:80 The "Classification" text is munged. I don't know if using two output plugins is causing the problems or what. I've since restarted the server and Snort (I was starting/stopping Snort a whole bunch as I was testing things) in hopes that it was a random bunch of Windoze weirdness. I'm going to see how things go through the weekend. If if no more weirdness, then fine. Otherwise, I'm disabling the output plugins and sticking with the plain ol' "-A fast" option. - Christopher -----Original Message----- From: Michael Steele [mailto:michaels () silicondefense com] Sent: Wednesday, November 27, 2002 3:20 PM To: 'L. Christopher Luther'; snort-users () lists sourceforge net Subject: RE: [Snort-users] RE: MySQL on Another Server (#2) Sensitivity: Confidential Hummmm, This is a good one :-) Ok, can you describe in detail about; "other weird things are happening... "? -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com <mailto:michaels () silicondefense com> Silicon Defense: IDS solutions - http://www.silicondefense.com <http://www.silicondefense.com> Snort: Open Source Network IDS - http://www.snort.org <http://www.snort.org> -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of L. Christopher Luther Sent: Wednesday, November 27, 2002 10:59 AM To: 'Hicks, John' Cc: Snort-Users (E-mail) Subject: [Snort-users] RE: MySQL on Another Server (#2) Sensitivity: Confidential Thanks. I found the binaries, but now other weird things are happening... - Christopher -----Original Message----- From: Hicks, John [ mailto:JHicks () JUSTICE GC CA <mailto:JHicks () JUSTICE GC CA> ] Sent: Wednesday, November 27, 2002 10:04 AM To: 'L. Christopher Luther'; Snort Users (E-mail) Subject: RE: [Snort-users] MySQL on Another Server (#2) Sensitivity: Confidential All you need is the snort binary precompiled with mySQL support. You can get it from www.silicondefense.com HTH, John -----Original Message----- From: L. Christopher Luther [ mailto:CLuther () Xybernaut com <mailto:CLuther () Xybernaut com> ] Sent: Monday, November 25, 2002 7:22 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] MySQL on Another Server (#2) Sensitivity: Confidential Can anyone tell me how exactly does Snort (Win32) connect to a remote installation of MySQL (Win32)? I searched the MySQL web site but do not see a Win32 client-only installation for MySQL; I only see a Linix client installation for MySQL. Sincerely, L. Christopher Luther Technical Consultant Xybernaut Solutions, Inc. (703) 654-3642 cluther () xybernaut com http://www.xybernautsolutions.com <http://www.xybernautsolutions.com> My PGP Public Key: http://keyserver.pgp.com/pks/lookup?op=get <http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88> &search=0x21261B88 CONFIDENTIALITY NOTE: This communication contains information that is confidential and/or legally privileged. This information is intended only for the use of the individual or entity named on this communication. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, printing or other use of, or any action in reliance on, the contents of this communication is strictly prohibited. If you receive this communication in error, please immediately notify us by telephone at (703) 631-6925. ------------------------------------------------------------ Unsolicited commercial e-mail will automatically be reported to the appropriate abuse@ - without exception. ------------------------------------------------------------
Current thread:
- MySQL on Another Server (#2) L. Christopher Luther (Nov 25)
- <Possible follow-ups>
- RE: MySQL on Another Server (#2) Hicks, John (Nov 27)
- RE: MySQL on Another Server (#2) L. Christopher Luther (Nov 27)
- RE: RE: MySQL on Another Server (#2) Michael Steele (Nov 27)
- RE: RE: MySQL on Another Server (#2) L. Christopher Luther (Nov 27)