Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort not logging to Mysql Database on CentOS 5.1( x86_64) !!!

From: "Shiva Raman" <raman.shivag () gmail com>
Date: Tue, 12 Aug 2008 11:56:18 +0530
Thanks for the reply.

Yes , i was running two different versions of Snort. I uninstalled
both the versions, did a fresh install of snort-2.8.2.2-1.RH5.i386.rpm
and  snort-mysql-2.8.2.2-1.RH5.i386.rpm

Even now the database is not logging the snort logs. But i observe
that the database logs
the details of the sensor.
Here is the output of the command
[root@idps ~]#  echo "select * from data" | mysql snort
( No entires /No output)
[root@idps  ~]# echo "select * from sensor" | mysql snort
sid     hostname        interface       filter  detail  encoding        last_cid
2       192.168.10.18   eth0    NULL    1       0       0


so i think connectivity between snort and mysql is ok, but snort logs
are not getting updated in mysql database. kindly advise anything else
to be take care here.

Regards

Shiva Raman

On 8/8/08, Zakai Kinan <titanyen2000 () yahoo com> wrote:

Are you running two different versions?


ZK



--- On Thu, 8/7/08, Shiva Raman <raman.shivag () gmail com> wrote:


From: Shiva Raman <raman.shivag () gmail com>
Subject: [Snort-users] Snort not logging to Mysql Database on CentOS 5.1(
x86_64) !!!
To: snort-users () lists sourceforge net
Date: Thursday, August 7, 2008, 11:49 PM
Dear All

 i had installed Centos 5.1(x86_64)  on Intel Xeon 64 bit
server.
Following are the set of RPMs installed in the server
downloaded from
Snort web site.

snort-2.8.2.2-1.RH5.i386.rpm
snort-mysql-2.8.2.2-1.RH5.i386.rpm

The installation was completed succesfully. The mysql
database of
snort has been created
and the sql script was run.Then the service were  started
and this was
showing status running fine.
Following is my
 #snort -c /etc/snort/snort.conf
also did not show any errors.
the mysql database was enabled in snort.conf.

The problem is that mysql is not logging any snort alerts
to the
database. Is it a problem with
64 bit architecture as the 32 bit rpms work fine and logs
into database.

Following is the configuration of  my /etc/snort/snort.conf

var HOME_NET 192.168.0.0/24
var HONEYNET any
var EXTERNAL_NET !$HOME_NET
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
config checksum_mode: none
var rule_path /etc/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble: both
preprocessor stream4_reassemble: both,ports 21 23 25 53 80
110 111 139
143 445 513 1433
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length
500 no_alerts
preprocessor rpc_decode: 111 32771
preprocessor bo
output alert_fast: alert
include classification.config
include reference.config
output database: log, mysql, user=root dbname=snort
host=localhost
output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128
include $rule_path/attack-responses.rules
include $rule_path/backdoor.rules
include $rule_path/ddos.rules
include $rule_path/dns.rules
include $rule_path/pop3.rules
include $rule_path/smtp.rules
include $rule_path/icmp-info.rules
include $rule_path/multimedia.rules
include $rule_path/nntp.rules
include $rule_path/oracle.rules
include $rule_path/policy.rules
include $rule_path/porn.rules
include $rule_path/scan.rules
include $rule_path/telnet.rules
include $rule_path/tftp.rules
include $rule_path/web-cgi.rules
include $rule_path/web-coldfusion.rules
include $rule_path/x11.rules

and following is the output of
# snort -c /etc/snort/snort.conf

[root@idps server ~]# snort -c /etc/snort/snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
PortVar 'HTTP_PORTS' defined :  [ 80]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79
81:65535]
PortVar 'ORACLE_PORTS' defined :  [ 1521]
,-----------[Flow Config]----------------------
| Stats Interval:  0
| Hash Method:     2
| Memcap:          10485760
| Rows  :          4096
| Overhead Bytes:  16388(%0.16)
`----------------------------------------------
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    Session count max: 8192 sessions
    Session cleanup count: 5
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: INACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
    Enforce TCP State: INACTIVE
    Midstream Drop Alerts: INACTIVE
    Allow Blocking of TCP Sessions in Inline: ACTIVE
Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    Flush stream on alert: INACTIVE
    flush_data_diff_size: 500
    Reassembler Packet Preferance : Favor Old
    Packet Sequence Overlap Limit: -1
    Flush behavior: Small (<255 bytes)
    Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143
445 513 1433 1521 3306
    Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137
139 143 445
513 1433 1521 3306
Stream4_reassemble config:
    Server reassembly: ACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Zero out flushed packets: INACTIVE
    Flush stream on alert: INACTIVE
    flush_data_diff_size: 500
    Reassembler Packet Preferance : Favor Old
    Packet Sequence Overlap Limit: -1
    Flush behavior: Small (<255 bytes)
    Ports: 21 23 25 53 80 110 111 139 143 445 513 1433
    Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137
139 143 445
513 1433 1521 3306
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /etc/snort/unicode.map
      IIS Unicode Map Codepage: 1252
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports: 80 8080 8180
      Flow Depth: 300
      Max Chunk Length: 500000
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: YES
      Oversize Dir Length: 500
      Only inspect URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: YES
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: YES
      Base36: OFF
      UTF 8: OFF
      IIS Unicode: YES alert: YES
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: YES
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: NONE
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
Tagged Packet Limit: 256

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1168 Snort rules read
    1168 detection rules
    0 decoder rules
    0 preprocessor rules
1168 Option Chains linked into 138 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port
Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src      88       9       0       0
|     dst     902      42       0       0
|     any      25       5     113       4
|      nc      13       1      83       2
|     s+d      10       3       0       0
+----------------------------------------------------------------------------

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1      sig-id=2275       type=Threshold
tracking=dst count=5
 seconds=60
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order:
activation->dynamic->pass->drop->sdrop->reject->alert->log
Log directory = /var/log/snort
Verifying Preprocessor Configurations!
Warning: flowbits key 'realplayer.playlist' is set
but not ever checked.
14 out of 512 flowbits in use.
***
*** interface device lookup found: eth0
***

Initializing Network Interface eth0
Decoding Ethernet on interface eth0
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = root
database: database name = snort
database:          host = localhost
database:   sensor name = 192.168.10.18
database:     sensor id = 3
database: schema version = 107
database: using the "log" facility

[ Port Based Pattern Matching Memory ]
+-[AC-BNFA Search Info
Summary]------------------------------
| Instances        : 117
| Patterns         : 2515
| Pattern Chars    : 40315
| Num States       : 29117
| Num Match States : 2398
| Memory           :   686.30Kbytes
|   Patterns       :   88.38K
|   Match Lists    :   135.42K
|   Transitions    :   452.45K
+-------------------------------------------------

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.0.1 (Build 72) inline
   ''''    By Martin Roesch & The Snort
Team: http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.
           Using PCRE version: 6.6 06-Feb-2006

Not Using PCAP_FRAMES


Please guide me how to resolve this problem.

Thanks and Regards

Shiva Raman

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move
Developer's challenge
Build the coolest Linux based applications with Moblin SDK
& win great prizes
Grand prize is a trip for two to an Open Source event
anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: