Snort mailing list archives
Arrrghhh!....help..me...
From: "Tim" <twrodriguez () earthlink net>
Date: Wed, 28 May 2003 20:48:28 -0400
Frustration has set in and the answer is problably under my nose and can't see it. I really need for someone to please point it out for me. I'm not new to snort or configuring ACID, MySQL with its accompanying programs in order to help view alerts in ACID.....ie., gd, php, phplot..etc. JPgraph is new and I haven't had a chance to play with it...yet.. First, I'm running RH 7.3 completely updated through the RHN on two machines...hardware is exactly the same on both machines....plenty of processing power and memory......500mhz/256 MB and a 9GB IDE drive. Plenty for my little home-network-lab. The firewall is Iptables latest version on a separate machine with the same (3 NICs) hardware, totally setup and functional. On the snort (Version 2.0) machine I have 4 NICs one for management and the other three for the sensors. eth0 ---> Management eth1----> LAN eth2----> INTERNET eth3----> DMZ I have 3 poor man taps, (hubs), for my sensors to monitor the traffic. Snort was configured with --with-mysql=DIR for database support. Snort is up and running fine...this is the script I use to fire up snort: #!/bin/sh # # snortd Start/Stop the snort IDS daemon. # # chkconfig: 2345 40 60 # description: snort is a lightweight network intrusion detection tool # # Source function library. . /etc/rc.d/init.d/functions # Specify network interface here INTERFACE1=eth1 INTERFACE2=eth2 INTERFACE3=eth3 SNORT=/usr/local/bin/snort # How they are called. case "$1" in start) echo -n "Starting snort sensor INET: " ifconfig eth1 promisc up daemon $SNORT -o -i $INTERFACE1 -d -D \ -c /etc/snort/rules/snort-inet.conf touch /var/lock/subsys/snort1 echo echo -n "Starting snort sensor LAN: " ifconfig eth2 promisc up daemon $SNORT -o -i $INTERFACE2 -d -D \ -c /etc/snort/rules/snort-lan.conf touch /var/lock/subsys/snort2 echo echo -n "Starting snort sensor DMZ: " ifconfig eth3 promisc up daemon $SNORT -o -i $INTERFACE3 -d -D \ -c /etc/snort/rules/snort-dmz.conf touch /var/lock/subsys/snort3 echo ;; stop) echo -n "Stopping snort: " killproc snort rm -f /var/lock/subsys/snort* echo ;; restart) $0 stop $0 start ;; status) status snort ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 exit 0 This works well...any suggestion for improvement will be appreciated. The snort-.....conf files have had their output plugins configured as such: output database: log, mysql, user=snort password=xxxxxx dbname=snort host=x.x.x.x sensor_name=xxxxx On the ACID box I have installed: Apache 1.3.27 MySQL 3.23.56-1 MySQL-client 3.23.56-1 MySQL-shared 3.23.56-1 commands used: set password for 'root'@'localhost'=password('mypassword'); creat database snort; connect snort source create_mysql grant CREATE,INSERT,SELECT,DELETED,UPDATE on snort.* to snort; " "snort@localhost; connect mysql set password for 'snort'@'localhost' =password('mypassword'); set password for 'snort'@'%'=password('mypassword'); flush privileges; exit php-4.1.2-73.6 php-mysql-4.1.2-7.3 Untarred and copied the following files to /var/www/html acid 0.9.6b23 adodb331 gd 1.8.4 phplot 4.4.6 Variables on ACID are as follows $DBlig_path="../adodb"; $alert_dbname="snort"; $alert_user="snort"; alert_password="xxxx"; $CharLib_path="../phplot"; This should be enough for me to be able to start snort and log alerts to the database and view them with ACID or at least I thought so. It seems that the sensors are being inserted to the mysql database, however they are not viewable through ACID and snort is not logging alerts to the database.....even though it does capture packets and they viewable real time through the output on screen...no error messages from anywhere that I have been able to see so far ("tail -100 /var/log/messages"). I know, I know, switch from log to alert in the output database line, but I have done that to no avail. Snort fires up correctly and the fact that the sensors are being inserted into the database shows me that their is connectivity with the MySQL snort database...I'm at a lost. Any help will be gratefully appreciated. I have re-installed the system twice now and on the brink of sheer frustration ... The funny thing is that I have installed the Snort/ACID IDS system prior to snort 2.0 with not much trouble on numerous occassions. Tim--Mia/Fla
Current thread:
- Arrrghhh!....help..me... Tim (May 28)
- Re: Arrrghhh!....help..me... Demetri Mouratis (May 28)