Snort mailing list archives
Re: output module bug in 2.4.3-RC3
From: Will Metcalf <william.metcalf () gmail com>
Date: Mon, 23 Jan 2006 21:00:12 -0600
can you send us a scrubbed version of your shorewall output? /sbin/shorewall status > /tmp/status.txt /sbin/shorewall show > /tmp/show.txt On 1/23/06, Michael W Cocke <cocke () catherders com> wrote:
I took the advice in the docs and only configured for logs. I did try configuring for alerts previously and there was no difference. Mike- On Mon, 23 Jan 2006 20:44:52 -0500, you wrote:Do you see anything going to alert log file? Axton Grams On 1/23/06, Michael W Cocke <cocke () catherders com> wrote:Well, it seemed like a good idea, but that wasn't it. I stuck in an accept (instead of queue) on that port, but no change. Mike- On Mon, 23 Jan 2006 19:08:36 -0500, you wrote:That would be my guess. The best way to test would be to limit what you queue to not include the mysql traffic. Axton Grams On 1/23/06, Michael W Cocke <cocke () catherders com> wrote:To be honest, I have more faith in my ability to just forward verything to the queue than to just try to seperate one thing out, but you just gave me an interesting idea. You mean snort _q might be interfering with the mysql packets, which snort without -q isn'? Lemme go add an accept rule for that port. Mike- On Mon, 23 Jan 2006 18:12:03 -0500, you wrote:What if you were to start with something simple in the iptables rules that sent packets to queue, like icmp only, or some unneeded service, like ftp or telnet. This will ensure that the queuing will not interfere with writing to mysql and will give you a limited testbed in order to work to get the queueing working properly. Axton Grams On 1/23/06, Michael W Cocke <cocke () catherders com> wrote:<sigh> What I forgot to write was that I'm currently running snort_inline _AND_ snort, exactly like this - snort_inline -c /etc/snort/snort.conf -Q snort -c /etc/snort/snort.conf If I drop the -Q from the snort command line (or the snort_inline command line), database writes work fine. What I have no confidence in and no way to test is if anything is actually being done with the packets in the queue. Database connectivity is working fine - as long as I don't try to use the QUEUE facility in either snort or snort_inline. Mike- On Mon, 23 Jan 2006 17:14:14 -0500, you wrote:First, verify connectivity to the db host using the mysql client on the sensor? should be something along the lines of: # mysql -p Enter password: xxx Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 28 to server version: x.x.x Did you configure the db for logging use in snort.conf? The line should look something like: output database: log, mysql, user=<user> password=<passsword> dbname=<db name> host=<host> If so, did you create the tables in the db for snort to use to log the alerts using ./snort-2.4.3/schemas/create_mysql? If so, did you give the proper grants to the tables for insert/update/delete, where appropriate, to the user defined in the snort.conf file? Axton Grams On 1/23/06, Michael W Cocke <cocke () catherders com> wrote:I was absolutely certain that it was something that I did wrong, so I went back to the beginning, reinstalled all the requires, compiled snort from scratch, turned on every log file I could find, and built a rule to log every occurence of GET on port 80. I've tried both snort and snort-inline compiled with --enable-inline and --with-mysql. Running with this command line snort -Q -c /etc/snort/snort.conf -v (replace snort with snort_inline as you wish). I get lots of screen activity from the -v, but snort doesn't write anything to a mysql database. Neither does snort_inline 2.4.3-RC3, compiled with the same options. If anyone has a suggestion or would like me to try something, email me. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- output module bug in 2.4.3-RC3 Michael W Cocke (Jan 23)
- Message not available
- Re: output module bug in 2.4.3-RC3 Michael W Cocke (Jan 23)
- Message not available
- Re: output module bug in 2.4.3-RC3 Michael W Cocke (Jan 23)
- Message not available
- Re: output module bug in 2.4.3-RC3 Michael W Cocke (Jan 23)
- Message not available
- Re: output module bug in 2.4.3-RC3 Michael W Cocke (Jan 23)
- Re: output module bug in 2.4.3-RC3 Will Metcalf (Jan 23)
- Re: output module bug in 2.4.3-RC3 Michael W Cocke (Jan 24)
- Re: output module bug in 2.4.3-RC3 Michael W Cocke (Jan 23)
- Message not available