Snort mailing list archives

RE: RE: MySQL on Another Server (#2)

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Wed, 27 Nov 2002 17:54:30 -0500
I'm using Snort 1.8.6 w/ WinPCap 2.02 on a dual PIII NT 4.0 computer.  And
yes, I know WinPCap is not supported on SMP platforms, and yes, Snort 1.8.7+
is better, but WinPCap 2.3 will not run on my SMP server w/o disabling one
processor, which I'm not willing to do.  So, it's Snort 1.8.6 and WinPCap
2.02.  
 
It's been working fine up until I started logging to a MySQL database on
another computer.  I was using IDScenter and the "-A fast" command line to
launch Snort w/o using any output plugins in the snort.conf file.  I've
since removed the "-A" command line parameter and started using the
following options in my snort.conf  file:  
 
output alert_fast: alert.ids
output database: log, Mysql, ... [snip]  
 
I am getting data logged to the MySQL database, and the alert.ids file is
being populated (which IDScenter monitors for changes so that it can
generate e-mail messages).  The weirdness is that that some of the output
being written to the alert.ids file is now corrupt.  For example:  
 
11/24/02-07:16:22.396742  [**] [1:1256:6] WEB-IIS CodeRed v2 root.exe access
[**] [Classification: X² Attack³] [Priority: 1] {TCP} 217.229.243.2:4300 ->
xxx.xxx.xxx.xxx:80

The "Classification" text is munged.  I don't know if using two output
plugins is causing the problems or what.  
 
I've since restarted the server and Snort (I was starting/stopping Snort a
whole bunch as I was testing things) in hopes that it was a random bunch of
Windoze weirdness.  I'm going to see how things go through the weekend.  If
if no more weirdness, then fine.  Otherwise, I'm disabling the output
plugins and sticking with the plain ol' "-A fast" option.  
 
- Christopher 
 

-----Original Message-----
From: Michael Steele [mailto:michaels () silicondefense com]
Sent: Wednesday, November 27, 2002 3:20 PM
To: 'L. Christopher Luther'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] RE: MySQL on Another Server (#2)
Sensitivity: Confidential



Hummmm,

 

This is a good one :-)

 

Ok, can you describe in detail about; "other weird things are happening...
"?

   -Michael

--
 Michael Steele | System Engineer / Support Technician
mailto:michaels () silicondefense com <mailto:michaels () silicondefense com> 
 Silicon Defense: IDS solutions - http://www.silicondefense.com
<http://www.silicondefense.com> 
 Snort: Open Source Network IDS - http://www.snort.org
<http://www.snort.org> 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of L. Christopher
Luther
Sent: Wednesday, November 27, 2002 10:59 AM
To: 'Hicks, John'
Cc: Snort-Users (E-mail)
Subject: [Snort-users] RE: MySQL on Another Server (#2)
Sensitivity: Confidential

 

Thanks. I found the binaries, but now other weird things are happening...  

- Christopher 

-----Original Message----- 
From: Hicks, John [ mailto:JHicks () JUSTICE GC CA
<mailto:JHicks () JUSTICE GC CA> ] 
Sent: Wednesday, November 27, 2002 10:04 AM 
To: 'L. Christopher Luther'; Snort Users (E-mail) 
Subject: RE: [Snort-users] MySQL on Another Server (#2) 
Sensitivity: Confidential 

 

All you need is the snort binary precompiled with mySQL support. You can get
it from www.silicondefense.com 

HTH, 
John 
-----Original Message----- 
From: L. Christopher Luther [ mailto:CLuther () Xybernaut com
<mailto:CLuther () Xybernaut com> ] 
Sent: Monday, November 25, 2002 7:22 PM 
To: 'snort-users () lists sourceforge net' 
Subject: [Snort-users] MySQL on Another Server (#2) 
Sensitivity: Confidential 

 

Can anyone tell me how exactly does Snort (Win32) connect to a remote
installation of MySQL (Win32)?  I searched the MySQL web site but do not see
a Win32 client-only installation for MySQL; I only see a Linix client
installation for MySQL.

 

Sincerely,  
L. Christopher Luther  
Technical Consultant  
Xybernaut Solutions, Inc.  
(703) 654-3642  
cluther () xybernaut com  
http://www.xybernautsolutions.com <http://www.xybernautsolutions.com>   
My PGP Public Key:  
http://keyserver.pgp.com/pks/lookup?op=get
<http://keyserver.pgp.com/pks/lookup?op=get&search=0x21261B88>
&search=0x21261B88 
CONFIDENTIALITY NOTE:  This communication contains 
information that is confidential and/or legally privileged.  
This information is intended only for the use of the individual 
or entity named on this communication. If you are not the 
intended recipient, you are hereby notified that any disclosure, 
copying, distribution, printing or other use of, or any action 
in reliance on, the contents of this communication is strictly 
prohibited.  If you receive this communication in error, please 
immediately notify us by telephone at (703) 631-6925. 
------------------------------------------------------------ 
Unsolicited commercial e-mail will automatically be reported 
to the appropriate abuse@ - without exception. 
------------------------------------------------------------
Current thread:

MySQL on Another Server (#2) L. Christopher Luther (Nov 25)
- <Possible follow-ups>
- RE: MySQL on Another Server (#2) Hicks, John (Nov 27)
- RE: MySQL on Another Server (#2) L. Christopher Luther (Nov 27)
  - RE: RE: MySQL on Another Server (#2) Michael Steele (Nov 27)
- RE: RE: MySQL on Another Server (#2) L. Christopher Luther (Nov 27)