Snort mailing list archives
Re: Snort not logging to Mysql Database on CentOS 5.1( x86_64) !!!
From: "Shiva Raman" <raman.shivag () gmail com>
Date: Tue, 12 Aug 2008 11:56:18 +0530
Thanks for the reply. Yes , i was running two different versions of Snort. I uninstalled both the versions, did a fresh install of snort-2.8.2.2-1.RH5.i386.rpm and snort-mysql-2.8.2.2-1.RH5.i386.rpm Even now the database is not logging the snort logs. But i observe that the database logs the details of the sensor. Here is the output of the command [root@idps ~]# echo "select * from data" | mysql snort ( No entires /No output) [root@idps ~]# echo "select * from sensor" | mysql snort sid hostname interface filter detail encoding last_cid 2 192.168.10.18 eth0 NULL 1 0 0 so i think connectivity between snort and mysql is ok, but snort logs are not getting updated in mysql database. kindly advise anything else to be take care here. Regards Shiva Raman On 8/8/08, Zakai Kinan <titanyen2000 () yahoo com> wrote:
Are you running two different versions? ZK --- On Thu, 8/7/08, Shiva Raman <raman.shivag () gmail com> wrote:From: Shiva Raman <raman.shivag () gmail com> Subject: [Snort-users] Snort not logging to Mysql Database on CentOS 5.1( x86_64) !!! To: snort-users () lists sourceforge net Date: Thursday, August 7, 2008, 11:49 PM Dear All i had installed Centos 5.1(x86_64) on Intel Xeon 64 bit server. Following are the set of RPMs installed in the server downloaded from Snort web site. snort-2.8.2.2-1.RH5.i386.rpm snort-mysql-2.8.2.2-1.RH5.i386.rpm The installation was completed succesfully. The mysql database of snort has been created and the sql script was run.Then the service were started and this was showing status running fine. Following is my #snort -c /etc/snort/snort.conf also did not show any errors. the mysql database was enabled in snort.conf. The problem is that mysql is not logging any snort alerts to the database. Is it a problem with 64 bit architecture as the 32 bit rpms work fine and logs into database. Following is the configuration of my /etc/snort/snort.conf var HOME_NET 192.168.0.0/24 var HONEYNET any var EXTERNAL_NET !$HOME_NET var SMTP_SERVERS any var TELNET_SERVERS any var HTTP_SERVERS any var SQL_SERVERS any var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 config checksum_mode: none var rule_path /etc/snort/rules preprocessor flow: stats_interval 0 hash 2 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble: both preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433 preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 no_alerts preprocessor rpc_decode: 111 32771 preprocessor bo output alert_fast: alert include classification.config include reference.config output database: log, mysql, user=root dbname=snort host=localhost output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 include $rule_path/attack-responses.rules include $rule_path/backdoor.rules include $rule_path/ddos.rules include $rule_path/dns.rules include $rule_path/pop3.rules include $rule_path/smtp.rules include $rule_path/icmp-info.rules include $rule_path/multimedia.rules include $rule_path/nntp.rules include $rule_path/oracle.rules include $rule_path/policy.rules include $rule_path/porn.rules include $rule_path/scan.rules include $rule_path/telnet.rules include $rule_path/tftp.rules include $rule_path/web-cgi.rules include $rule_path/web-coldfusion.rules include $rule_path/x11.rules and following is the output of # snort -c /etc/snort/snort.conf [root@idps server ~]# snort -c /etc/snort/snort.conf Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort/snort.conf PortVar 'HTTP_PORTS' defined : [ 80] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535] PortVar 'ORACLE_PORTS' defined : [ 1521] ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4096 | Overhead Bytes: 16388(%0.16) `---------------------------------------------- Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Allow Blocking of TCP Sessions in Inline: ACTIVE Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor Old Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor Old Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 53 80 110 111 139 143 445 513 1433 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Server profile: All Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: YES Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Tagged Packet Limit: 256 +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 1168 Snort rules read 1168 detection rules 0 decoder rules 0 preprocessor rules 1168 Option Chains linked into 138 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ +-------------------[Rule Port Counts]--------------------------------------- | tcp udp icmp ip | src 88 9 0 0 | dst 902 42 0 0 | any 25 5 113 4 | nc 13 1 83 2 | s+d 10 3 0 0 +---------------------------------------------------------------------------- +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log Log directory = /var/log/snort Verifying Preprocessor Configurations! Warning: flowbits key 'realplayer.playlist' is set but not ever checked. 14 out of 512 flowbits in use. *** *** interface device lookup found: eth0 *** Initializing Network Interface eth0 Decoding Ethernet on interface eth0 database: compiled support for ( mysql ) database: configured to use mysql database: user = root database: database name = snort database: host = localhost database: sensor name = 192.168.10.18 database: sensor id = 3 database: schema version = 107 database: using the "log" facility [ Port Based Pattern Matching Memory ] +-[AC-BNFA Search Info Summary]------------------------------ | Instances : 117 | Patterns : 2515 | Pattern Chars : 40315 | Num States : 29117 | Num Match States : 2398 | Memory : 686.30Kbytes | Patterns : 88.38K | Match Lists : 135.42K | Transitions : 452.45K +------------------------------------------------- --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.0.1 (Build 72) inline '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using PCRE version: 6.6 06-Feb-2006 Not Using PCAP_FRAMES Please guide me how to resolve this problem. Thanks and Regards Shiva Raman ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort not logging to Mysql Database on CentOS 5.1( x86_64) !!! Shiva Raman (Aug 07)
- Re: Snort not logging to Mysql Database on CentOS 5.1( x86_64) !!! Zakai Kinan (Aug 08)
- Re: Snort not logging to Mysql Database on CentOS 5.1( x86_64) !!! Shiva Raman (Aug 11)
- Re: Snort not logging to Mysql Database on CentOS 5.1( x86_64) !!! Zakai Kinan (Aug 12)
- Re: Snort not logging to Mysql Database on CentOS 5.1( x86_64) !!! Shiva Raman (Aug 11)
- Re: Snort not logging to Mysql Database on CentOS 5.1( x86_64) !!! Zakai Kinan (Aug 08)