Mysql, log and portscan..

["Marco A. mateos" <specka () specka com>]

Hello, I'm a new user from snort 1.9.0 on redhat 7.2 (snort+snort+ACID)

I have a problem and don't see solution.

In my case, I want to have the log / var/log/snort and also to send the
logs to mysql.

In my file snort.conf has:

var HOME_NET $eth0_ADDRESS
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET 207.218.223.134 207.218.192.38
#var RULE_PATH ./
var SHELLCODE_PORTS !80
var HTTP_PORTS 80
var ORACLE_PORTS 1521

preprocessor frag2

preprocessor stream4: detect_scans, disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_decode: 80 -unicode -cginull

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor telnet_decode

preprocessor portscan: $HOME_NET 4 3 portscan.log

# This derective not know wht I can use
#preprocessor portscan-ignorehosts

output alert_syslog: LOG_AUTH LOG_ALERT

#output log_tcpdump: snort.log

output database: alert, mysql, user=myuser dbname=snort host=localhost
password=mypass

include classification.config

include bad-traffic.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules
include tftp.rules
include web-cgi.rules
include web-coldfusion.rules
include web-iis.rules
include web-frontpage.rules
include web-misc.rules
include web-attacks.rules
include sql.rules
include x11.rules
include icmp.rules
include netbios.rules
include misc.rules
include attack-responses.rules
include backdoor.rules
include shellcode.rules
include policy.rules
include porn.rules
include info.rules
include icmp-info.rules
include virus.rules
include local.rules



And in the file snort init:

. /etc/rc.d/init.d/functions

INTERFACE=eth0

# See how we were called.
case "$1" in
  start)
        echo -n "Starting snort: "
        cd /var/log/snort
#####################################################################
        ### This line change activitie That write to log
/var/log/snort/alert
        daemon /usr/sbin/snort -A full -b -l /var/log/snort -d -D \
                 -i $INTERFACE -c /etc/snort/snort.conf
#####################################################################
        ## If delete -A full -b  Write to mysql database snort
#####################################################################        
        touch /var/lock/subsys/snort
        echo
        ;;
  stop)
        echo -n "Stopping snort: "
        killproc snort
        rm -f /var/lock/subsys/snort
        echo 
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  status)
        status snort
        ;;
  *)
        echo "Usage: $0 {start|stop|restart|status}"
        exit 1
esac

exit 0

Neither it works.
The logs goes to the text file, or to mysql.
In any case I am able to see scan of ports, and for another tool I am
certain that I have them (portsentry).

I like write log to alert and portscan also because I like send with
extractor 4.0 to https://analyzer.securityfocus.com/. 
All to mysql database for see with ACID. All afternoon, work with this. 


Thanks for you help. My english it's bad.



-- 
Marco A. Mateos - Linux User: 209189
www.lomejordeinternet.net / specka.com
graficas.lomejordeinternet.net - Portal de Artes Gráficas
hosting.lomejordeinternet.net - Hosting, housing y consultoria
specka () quitaesto specka com / ICQ: 172542875
Clave Pública disponible en pgp.rediris.es

Attachment: signature.asc
Description: Esta parte del mensaje esta firmada digitalmente