Snort mailing list archives
Re: one snort instance logging in at different databases
From: Pedro Marinho <pppmarinho () gmail com>
Date: Wed, 22 Apr 2009 12:00:48 -0300
Thanks Joel 2009/4/22 Joel Esler <jesler () sourcefire com>
You can do this through custom alerting keywords. http://www.snort.org/docs/snort_htmanuals/htmanual_284/node198.html Or you can configure two DB outputs in Barnyard. Joel On Wed, Apr 22, 2009 at 10:39 AM, Pedro Marinho <pppmarinho () gmail com>wrote:Hello Gentlemen, Is there a way to tell snort to log all signatures in one database and another signature that i 've created in another database? I mean a single instance of snort log all in one database and a specific rule that i´ve created in another database. 2009/4/22 <snort-users-request () lists sourceforge net>Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-owner () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: view alerts in base (Joel Esler) 2. Re: view alerts in base (Joel Esler) ---------------------------------------------------------------------- Message: 1 Date: Wed, 22 Apr 2009 07:51:34 -0400 From: Joel Esler <jesler () sourcefire com> Subject: Re: [Snort-users] view alerts in base To: David Kingsly <davidkingsly () verizon net> Cc: snort-users () lists sourceforge net, Lee Clemens <snort () leeclemens net> Message-ID: <314cf0830904220451v337a44d8i65e3146e60bfd5d8 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" You have use "backticks" for the schema table. select * from `schema`; Joel On Tue, Apr 21, 2009 at 9:40 PM, David Kingsly <davidkingsly () verizon netwrote:I can not do the query. I see the table, but it does not work... mysql> show tables; +------------------+ | Tables_in_snort | +------------------+ | acid_ag | | acid_ag_alert | | acid_event | | acid_ip_cache | | base_roles | | base_users | | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 22 rows in set (0.00 sec) mysql> select * from 'schema'; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''schema'' at line 1 mysql> select * from schema; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'schema' at line 1 mysql> select * from schema; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'schema' at line 1 mysql> On Mon, 2009-04-20 at 17:19 -0400, Lee Clemens wrote:Can you send the output of select * from `schema`; -----Original Message----- From: David Kingsly [mailto:davidkingsly () verizon net] Sent: Sunday, April 19, 2009 10:45 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] view alerts in base Just to add to this previous post. I do not seem to have a sensor idinmy table. I saw some posts regarding this being the reason foralertsnot showing up in BASE: mysql> show tables; +------------------+ | Tables_in_snort | +------------------+ | acid_ag | | acid_ag_alert | | acid_event | | acid_ip_cache | | base_roles | | base_users | | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ 22 rows in set (0.00 sec) mysql> select * from sensor; Empty set (0.00 sec) I do however see alerts in the mysql database . On Sun, 2009-04-19 at 13:27 -0400, David Kingsly wrote:Greetings- I see alerts in mysql and in alerts folder in /var/logs/snort.Butbase page is blank. I checked mysql by logging in using the same account, and password, and I did select * on some tables. But theydonot show up in Base. Is there a log file I can look at? How canfindout what is wrong please? Here is some logs I suspect: daemon.log:Apr 19 10:47:08 thunder snort[21347]: Target-based policy: WINDOWS daemon.log:Apr 19 10:47:14 thunder snort[21351]: database:inconsistentcid information for sid=1 daemon.log.0:Apr 12 12:04:26 thunder snort[20659]: Target-based policy: WINDOWS daemon.log.0:Apr 12 12:11:02 thunder snort[20755]: Target-based policy: WINDOWS daemon.log.0:Apr 12 12:13:04 thunder snort[20763]: Target-based policy: WINDOWS daemon.log.0:Apr 12 12:13:41 thunder snort[20962]: Target-based policy: WINDOWS daemon.log.0:Apr 12 15:23:24 thunder snort[29865]: Target-based policy: WINDOWS daemon.log.0:Apr 16 20:58:11 thunder snort[5993]: Target-based policy: WINDOWS daemon.log.0:Apr 16 20:58:18 thunder snort[5993]: database:inconsistentcid information for sid=1 daemon.log.0:Apr 16 21:35:48 thunder snort[5967]: Target-based policy: WINDOWS daemon.log.0:Apr 16 21:35:55 thunder snort[5967]: database:inconsistentcid information for sid=1------------------------------------------------------------------------------Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users # " This e-mail and any attached documents may contain confidentialorproprietary information. If you are not the intended recipient,pleaseadvise the sender immediately and delete this e-mail and all attached documents from your computer system. Any unauthorised disclosure, distribution or copying hereof is prohibited."" Ce courriel et les documents qui y sont attaches peuventcontenirdesinformations confidentielles. Si vous n'etes pas le destinataireescompte,merci d'en informer l'expediteur immediatement et de detruire cecourrielainsi que tous les documents attaches de votre systeme informatique.Toutedivulgation, distribution ou copie du present courriel et desdocumentsattaches sans autorisation prealable de son emetteur est interdite."#------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 2 Date: Wed, 22 Apr 2009 07:52:32 -0400 From: Joel Esler <jesler () sourcefire com> Subject: Re: [Snort-users] view alerts in base To: David Kingsly <davidkingsly () verizon net> Cc: snort-users () lists sourceforge net Message-ID: <314cf0830904220452q1b1926a8m5e4cea8cf2c97d91 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" You should be using BASE. ACID is dead. Been dead for at least 5 years. J On Tue, Apr 21, 2009 at 9:45 PM, David Kingsly <davidkingsly () verizon netwrote:So even though I see alerts in mysql, the issue is between snort 2.8.4 and mysql? Not between BASE and mysql? From looking at my tables before I installed BASE, and after I see that BASE added some items. I just don't get why alerts are not collected. I'll look at barnyard documentation. Thank you. I do not have ACID installed. The procedures that I am following on Ubuntu do not call for it. On Mon, 2009-04-20 at 17:44 -0400, John Gay wrote:If you are using the database output plugin with Snort 2.8.4 there is a known issue. A patch was posted the other week. Try using unified output and something like barnyard to write to the db. John On Apr 19, 2009 11:40 AM, "David Kingsly" <davidkingsly () verizon net> wrote: Greetings- I see alerts in mysql and in alerts folder in /var/logs/snort. But base page is blank. I checked mysql by logging in using the same account, and password, and I did select * on some tables.Butthey do not show up in Base. Is there a log file I can look at? How can find out what is wrong please? Here is some logs I suspect: daemon.log:Apr 19 10:47:08 thunder snort[21347]: Target-based policy: WINDOWS daemon.log:Apr 19 10:47:14 thunder snort[21351]: database: inconsistent cid information for sid=1 daemon.log.0:Apr 12 12:04:26 thunder snort[20659]: Target-based policy: WINDOWS daemon.log.0:Apr 12 12:11:02 thunder snort[20755]: Target-based policy: WINDOWS daemon.log.0:Apr 12 12:13:04 thunder snort[20763]: Target-based policy: WINDOWS daemon.log.0:Apr 12 12:13:41 thunder snort[20962]: Target-based policy: WINDOWS daemon.log.0:Apr 12 15:23:24 thunder snort[29865]: Target-based policy: WINDOWS daemon.log.0:Apr 16 20:58:11 thunder snort[5993]: Target-based policy: WINDOWS daemon.log.0:Apr 16 20:58:18 thunder snort[5993]: database: inconsistent cid information for sid=1 daemon.log.0:Apr 16 21:35:48 thunder snort[5967]: Target-based policy: WINDOWS daemon.log.0:Apr 16 21:35:55 thunder snort[5967]: database: inconsistent cid information for sid=1------------------------------------------------------------------------------Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 35, Issue 51 *******************************************------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 | http://twitter.com/joelesler
------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- one snort instance logging in at different databases Pedro Marinho (Apr 22)
- Re: one snort instance logging in at different databases Joel Esler (Apr 22)
- Re: one snort instance logging in at different databases Pedro Marinho (Apr 22)
- Re: one snort instance logging in at different databases Joel Esler (Apr 22)