Re: No output to ACID

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

That looks good to me.

Now run Snort without the -T (test) switch, of course, but with -D 
(background deamon).

The configuration file is now important. It is easy to make some
alerts with nmap if you use the strem4 preprocessor to detect scans
(detect_scans) and the SYN-FIN-scan with nmap. Turn on the syslog
plugin too, and watch your /var/log/messages. If you do the
connect-scan with nmap and the portscan(2) preprocessor is turned off,
no alerts will come up. Turn everything on for the beginning and tune
your config down then.

Sorry telling you that, but now the hard part is comming: The
configuration.

Have fun,

Edin


Jill Tovey wrote:
> okay,
>
> I have redone the privileges, and seem to be getting somewhere,
> the output I get from  snort -v -c /etc/snort/snort.conf -T -i eth0 is
> now:
>
> Log directory = /var/log/snort
>
> Initializing Network Interface eth0
>
>         --== Initializing Snort ==--
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file /etc/snort/snort.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
>     Fragment min_ttl:   0
>     Fragment ttl_limit: 5
>     Fragment Problems: 0
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Evasion alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
>     MinTTL: 1
>     TTL Limit: 5
> No arguments to stream4_reassemble, setting defaults:
>      Reassemble client: ACTIVE
>      Reassemble server: INACTIVE
>      Reassemble ports: 21 23 25 53 80 143 110 111 513
>      Reassembly alerts: ACTIVE
>      Reassembly method: FAVOR_OLD
> database: compiled support for ( mysql )
> database: configured to use mysql
> database:          user = snort
> database: password is set
> database: database name = snort
> database:          host = 192.168.0.2
> Node unique name is: 192.168.0.2
> database:   sensor name = 192.168.0.2
> database:     sensor id = 1
> database: schema version = 106
> database: using the "alert" facility
> 1604 Snort rules read...
> 1604 Option Chains linked into 176 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Rule application order: ->activation->dynamic->alert->pass->log
>
>         --== Initialization Complete ==--
>
> -*> Snort! <*-
> Version 1.8.7 (Build 128)
> By Martin Roesch (roesch () sourcefire com, www.snort.org)
>
> Snort sucessfully loaded all rules and checked all rule chains!
> database: Closing mysql connection to database "snort"
>
> The acid interface still seems to be empty though, is that because I
> just don't have anything to report yet?
> I just did an nmap scan on 192.168.0.2 but nothing has shown up.
>
>
>
>
>
>
> On Tue, 2003-04-15 at 12:36, Edin Dizdarevic wrote:
>
> > Hi,
> >
> > login in MySQL and grant your user access to the DB-tables.
> >
> > That is done with something like this:
> >
> > GRANT privileges on <DB>.<table> to 'user'@'host' identified by 
> > 'password';
> >
> > For ex.
> >
> > GRANT ALL on snort.* to 'snortlogger'@'192.168.0.2' identified by 
> > 'your_secret_and_long_pw';
> >
> > privileges may be=SELECT, UPDATE, ALTER, ...
> > MySQL-DB=snort
> > user=snortlogger
> > host=192.168.0.2
> > password=your_secret_and_long_pw
> >
> > I would rather use IPs instead of hostnames, since they may change
> > more often.
> >
> > Remember: That user is then able to delete the alerts too and that may
> > be not what you want. Check the ACID docs in order to learn more about
> > that.
> >
> > I will give you one more hint:
> >
> > This is how you revoke grants:
> >
> > REVOKE privileges on <DB>.<table> from 'user'@'host';
> >
> > Regards,
> >
> > Edin
> >
> > Jill Tovey wrote:
> >
> > > Hi Edin,
> > >
> > > Yes, I created the DB and tables with the latest create_mysql scripts.
> >
> > > ...
> >
> >
> >
> >
> > --
> > Edin Dizdarevic

--
Edin Dizdarevic
Networking Unit
Internet- & e-Security

iAS interActive Systems
Gesellschaft fuer interaktive Medien mbH
Dieffenbachstr. 33c
10967 Berlin
Germany

fon     +49-(0)30 69 004-123
fax     +49-(0)30 69 004-101
mail    edin.dizdarevic () interActive-Systems de
URL     http://www.interActive-Systems.de/security



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users