Snort mailing list archives
Re: Snort is not logging :(
From: Yousef Raffah <yraffah () savola com>
Date: Tue, 04 Jul 2006 11:23:11 +0300
On Mon, 2006-07-03 at 15:41 +0300, Yousef Raffah wrote:
Hi, I'm quite new to snort but I have configured it at least once in that past and was successfull to reach the results I was expecting, however, now, I'm kinda stuck with a new implementation of snort. My new environment is as follows: OS: FreeBSD 6.1-STABLE snort: Version 2.4.5 (Build 29) Mysql: mysql Ver 14.7 Distrib 4.1.20, for portbld-freebsd6.1 (i386) using 5.0 I tried to follow the great documents written by Joshua D. Abraham on http://www.ccs.neu.edu/home/jabra/pub/snort-docs/ Unfortunately, I was not able to log snort logs into the database. I have setup the snort database structure, created a user and grant him the required permissions (I even gave him all permissions just to test) but no matter what I do, I get no luck with my logs and alerts being logged in the database. According to FreeBSD's rc script, snort is being started with -Dq -s, and from my little understanding, -s is used to alert syslog but I guess that would not make a difference here, would it? Anyhow, I have removed the -s and tried to start snort but still don't see any progress. Just to let you know that snort is starting and I can see a snort process but no logging what so ever :( Here is my database part when starting snort, (222.22.1.115 is my internal sensor's IP address) : database: compiled support for ( mysql ) database: configured to use mysql database: user = snorter database: password is set database: database name = snortdb database: host = localhost database: sensor name = 222.22.1.115 database: sensor id = 1 database: schema version = 106 database: using the "log" facility database: compiled support for ( mysql ) database: configured to use mysql database: user = snorter database: password is set database: database name = snortdb database: host = localhost database: sensor name = 222.22.1.115 database: sensor id = 1 database: schema version = 106 database: using the "alert" facility You can find my snort.conf file below: var HOME_NET [222.22.0.0/16,172.31.0.0/16] var EXTERNAL_NET any var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24$ var RULE_PATH ./rules config disable_decode_alerts preprocessor flow: stats_interval 0 hash 2 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy first detect_anomalies preprocessor telnet_decode preprocessor xlink2state: ports { 25 691 } output database: log, mysql, user=snorter password=mysnortpass dbname=snortdb host=localhost output database: alert, mysql, user=snorter password=mysnortpass dbname=snortdb host=localhost include classification.config include reference.config include $RULE_PATH/bleeding.rules Any kind help will be really appreciated.. Thanks in advance...
One update though, tcpdump shows there is a traffic getting to the interface, but using the configuration above the the startup parameters I provided earlier doesn't show me anything. Can you please tell me what is wrong with that? -- Sincerely, Yousef Raffah Senior Systems Administrator -- Aren't you using Firefox? Get it at http://www.getfirefox.com
Attachment:
signature.asc
Description: This is a digitally signed message part
Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort is not logging :( Yousef Raffah (Jul 03)
- Re: Snort is not logging :( Yousef Raffah (Jul 04)