Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort is not logging :(

From: Yousef Raffah <yraffah () savola com>
Date: Tue, 04 Jul 2006 11:23:11 +0300
On Mon, 2006-07-03 at 15:41 +0300, Yousef Raffah wrote:

Hi,

I'm quite new to snort but I have configured it at least once in that
past and was successfull to reach the results I was expecting, however,
now, I'm kinda stuck with a new implementation of snort.

My new environment is as follows:

OS: FreeBSD 6.1-STABLE
snort: Version 2.4.5 (Build 29)
Mysql: mysql  Ver 14.7 Distrib 4.1.20, for portbld-freebsd6.1 (i386)
using  5.0

I tried to follow the great documents written by Joshua D. Abraham on
http://www.ccs.neu.edu/home/jabra/pub/snort-docs/

Unfortunately, I was not able to log snort logs into the database.
I have setup the snort database structure, created a user and grant him
the required permissions (I even gave him all permissions just to test)
but no matter what I do, I get no luck with my logs and alerts being
logged in the database.

According to FreeBSD's rc script, snort is being started with -Dq -s,
and from my little understanding, -s is used to alert syslog but I guess
that would not make a difference here, would it? Anyhow, I have removed
the -s and tried to start snort but still don't see any progress.

Just to let you know that snort is starting and I can see a snort
process but no logging what so ever :(

Here is my database part when starting snort, (222.22.1.115 is my
internal sensor's IP address) :
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snorter
database: password is set
database: database name = snortdb
database:          host = localhost
database:   sensor name = 222.22.1.115
database:     sensor id = 1
database: schema version = 106
database: using the "log" facility
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snorter
database: password is set
database: database name = snortdb
database:          host = localhost
database:   sensor name = 222.22.1.115
database:     sensor id = 1
database: schema version = 106
database: using the "alert" facility


You can find my snort.conf file below:

var HOME_NET [222.22.0.0/16,172.31.0.0/16]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24$
var RULE_PATH ./rules
config disable_decode_alerts
preprocessor flow: stats_interval 0 hash 2
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor telnet_decode
preprocessor xlink2state: ports { 25 691 }
output database: log, mysql, user=snorter password=mysnortpass
dbname=snortdb host=localhost
output database: alert, mysql, user=snorter password=mysnortpass
dbname=snortdb host=localhost
include classification.config
include reference.config
include $RULE_PATH/bleeding.rules

Any kind help will be really appreciated..

Thanks in advance...

One update though, tcpdump shows there is a traffic getting to the
interface, but using the configuration above the the startup parameters
I provided earlier doesn't show me anything. Can you please tell me what
is wrong with that?

--
Sincerely,
Yousef Raffah
Senior Systems Administrator
--

Aren't you using Firefox? Get it at http://www.getfirefox.com

Attachment: signature.asc
Description: This is a digitally signed message part

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: