Snort mailing list archives
Re: MySQL support for Snort 2.9.4
From: Kaya Saman <kayasaman () gmail com>
Date: Tue, 11 Dec 2012 19:06:04 +0000
On 12/11/2012 02:45 PM, JJC wrote:
damn, Joel beat me to it again.. when you traverse between versions it's always best to make deinstall, or manually rm the old files or you may get errors like this
Thanks guys!
Sorry I've just started with Snort and have only been using it the last
few weeks and mostly from the OpenBSD Port of 2.8.6 which is why my
understanding and knowledge of what's going on is highly limited.....
A strange thing though, Snort is stable and listening on the interface
and able to collect information. For some reason however, it doesn't
seem to either: be processing the information; or logging the information??
With startup option set to:
/usr/local/bin/snort -i trunk0 -c /etc/snort/snort.conf
--daq-dir=/usr/local/lib/daq -u _snort -g _snort --daq=pcap
I get this:
Rule application order:
activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
ICMP tracking disabled, no ICMP sessions allocated
IP tracking disabled, no IP sessions allocated
WARNING: flowbits key 'file.mime' is set but not ever checked.
WARNING: flowbits key 'file.mppl' is set but not ever checked.
WARNING: flowbits key 'file.vwr' is set but not ever checked.
WARNING: flowbits key 'asteriskmi' is set but not ever checked.
WARNING: flowbits key 'file.jp2' is set but not ever checked.
WARNING: flowbits key 'file.wrf' is set but not ever checked.
WARNING: flowbits key 'file.crx' is set but not ever checked.
WARNING: flowbits key 'file.eml' is set but not ever checked.
WARNING: flowbits key 'backdoor.y3krat_15.client.response' is checked
but not ever set.
WARNING: flowbits key 'file.ram' is set but not ever checked.
WARNING: flowbits key 'file.plf' is set but not ever checked.
WARNING: flowbits key 'file.hta' is set but not ever checked.
WARNING: flowbits key 'file.mid' is set but not ever checked.
WARNING: flowbits key 'file.amf' is set but not ever checked.
WARNING: flowbits key 'file.rdp' is set but not ever checked.
WARNING: flowbits key 'file.aom' is set but not ever checked.
WARNING: flowbits key 'file.rpt' is set but not ever checked.
WARNING: flowbits key 'file.m4r' is set but not ever checked.
WARNING: flowbits key 'file.nab' is set but not ever checked.
WARNING: flowbits key 'file.xm' is set but not ever checked.
WARNING: flowbits key 'file.bmp' is set but not ever checked.
WARNING: flowbits key 'file.bat' is set but not ever checked.
WARNING: flowbits key 'file.rtx' is set but not ever checked.
WARNING: flowbits key 'file.winampskin' is set but not ever checked.
WARNING: flowbits key 'file.3g2' is set but not ever checked.
WARNING: flowbits key 'file.skm' is set but not ever checked.
WARNING: flowbits key 'file.ht3' is set but not ever checked.
WARNING: flowbits key 'file.pptx' is set but not ever checked.
WARNING: flowbits key 'file.dbp' is set but not ever checked.
WARNING: flowbits key 'file.mkv' is set but not ever checked.
WARNING: flowbits key 'file.rmp' is set but not ever checked.
WARNING: flowbits key 'file.file.tar' is set but not ever checked.
WARNING: flowbits key 'mscomctl' is set but not ever checked.
WARNING: flowbits key 'file.dvr-ms' is set but not ever checked.
WARNING: flowbits key 'file.m4p' is set but not ever checked.
WARNING: flowbits key 'file.caff' is set but not ever checked.
WARNING: flowbits key 'file.rp' is set but not ever checked.
WARNING: flowbits key 'file.plp' is set but not ever checked.
WARNING: flowbits key 'file.aiff' is set but not ever checked.
WARNING: flowbits key 'file.daz_ds' is set but not ever checked.
WARNING: flowbits key 'file.wma' is set but not ever checked.
WARNING: flowbits key 'file.application' is set but not ever checked.
WARNING: flowbits key 'file.3gp' is set but not ever checked.
WARNING: flowbits key 'ABSystemSpy_Inforetrieve1' is set but not ever
checked.
WARNING: flowbits key 'file.webm' is set but not ever checked.
WARNING: flowbits key 'file.jar.agent_helper' is set but not ever checked.
WARNING: flowbits key 'netsenum' is set but not ever checked.
WARNING: flowbits key 'file.arj' is set but not ever checked.
WARNING: flowbits key 'file.ogg' is set but not ever checked.
WARNING: flowbits key 'file.oless.v3' is set but not ever checked.
WARNING: flowbits key 'file.mov' is set but not ever checked.
WARNING: flowbits key 'ipp.application' is checked but not ever set.
WARNING: flowbits key 'file.pictmov' is set but not ever checked.
WARNING: flowbits key 'file.lzh' is set but not ever checked.
WARNING: flowbits key 'file.collada' is set but not ever checked.
WARNING: flowbits key 'file.s3m' is set but not ever checked.
WARNING: flowbits key 'file.tiff.big' is set but not ever checked.
WARNING: flowbits key 'file.k3g' is set but not ever checked.
WARNING: flowbits key 'file.wmp_playlist' is set but not ever checked.
WARNING: flowbits key 'file.cov' is set but not ever checked.
WARNING: flowbits key 'soliddb' is set but not ever checked.
WARNING: flowbits key 'file.rt' is set but not ever checked.
WARNING: flowbits key 'waprox.init' is set but not ever checked.
WARNING: flowbits key 'file.emf' is set but not ever checked.
WARNING: flowbits key 'file.cws' is set but not ever checked.
WARNING: flowbits key 'file.dat' is set but not ever checked.
WARNING: flowbits key 'AOLAdmin1.1.connection' is checked but not ever set.
WARNING: flowbits key 'file.ttf' is set but not ever checked.
WARNING: flowbits key 'file.cy3' is set but not ever checked.
WARNING: flowbits key 'file.wk4' is set but not ever checked.
WARNING: flowbits key 'file.rat' is set but not ever checked.
WARNING: flowbits key 'vnc.auth' is checked but not ever set.
WARNING: flowbits key 'file.docx' is set but not ever checked.
WARNING: flowbits key 'file.maki' is set but not ever checked.
WARNING: flowbits key 'file.qt' is set but not ever checked.
WARNING: flowbits key 'AM_Remote_Client' is set but not ever checked.
WARNING: flowbits key 'file.pkp' is set but not ever checked.
WARNING: flowbits key 'file.wps' is set but not ever checked.
WARNING: flowbits key 'file.pecompact' is set but not ever checked.
WARNING: flowbits key 'recordtype' is set but not ever checked.
WARNING: flowbits key 'smb.neoteris' is checked but not ever set.
WARNING: flowbits key 'file.rss' is set but not ever checked.
WARNING: flowbits key 'file.drm.f4v' is set but not ever checked.
WARNING: flowbits key 'backdoor.fearless.runtime' is checked but not
ever set.
WARNING: flowbits key 'file.addin' is set but not ever checked.
WARNING: flowbits key 'file.cue' is set but not ever checked.
WARNING: flowbits key 'file.msproducer' is set but not ever checked.
WARNING: flowbits key 'file.job' is set but not ever checked.
WARNING: flowbits key 'file.cur' is set but not ever checked.
WARNING: flowbits key 'file.fli' is set but not ever checked.
WARNING: flowbits key 'file.mht' is set but not ever checked.
WARNING: flowbits key 'file.bak' is set but not ever checked.
WARNING: flowbits key 'file.m4v' is set but not ever checked.
WARNING: flowbits key 'oracle.connect' is checked but not ever set.
WARNING: flowbits key 'file.hlp' is set but not ever checked.
WARNING: flowbits key 'file.autodesk_ma' is set but not ever checked.
WARNING: flowbits key 'file.vqf' is set but not ever checked.
WARNING: flowbits key 'file.autodesk_max' is set but not ever checked.
WARNING: flowbits key 'file.sln' is set but not ever checked.
WARNING: flowbits key 'file.cyb' is set but not ever checked.
WARNING: flowbits key 'file.search-ms' is set but not ever checked.
WARNING: flowbits key 'file.m4b' is set but not ever checked.
WARNING: flowbits key 'file.flac' is set but not ever checked.
WARNING: flowbits key 'file.oless.v4' is set but not ever checked.
WARNING: flowbits key 'file.m4a' is set but not ever checked.
WARNING: flowbits key 'file.cnt' is set but not ever checked.
WARNING: flowbits key 'file.mpeg' is set but not ever checked.
WARNING: flowbits key 'ms.webdav.propfind' is set but not ever checked.
WARNING: flowbits key 'file.svg' is set but not ever checked.
WARNING: flowbits key 'file.esignal' is set but not ever checked.
WARNING: flowbits key 'smtp.contenttype.attachment' is checked but not
ever set.
WARNING: flowbits key 'file.fon' is set but not ever checked.
WARNING: flowbits key 'backdoor.donalddick.1.5.b.3.conn' is checked but
not ever set.
WARNING: flowbits key 'file.csv' is set but not ever checked.
200 out of 1024 flowbits in use.
Ok these are just warnings and Snort does start and work, also shows
data with the:
--pcap-show option.
The config file is the same as posted yesterday so no change there, also
stats seem fine:
===============================================================================
Run time for packet processing was 38167.377763 seconds
Snort processed 18726026 packets.
Snort ran for 0 days 10 hours 36 minutes 7 seconds
Pkts/hr: 1872602
Pkts/min: 29443
Pkts/sec: 490
===============================================================================
Packet I/O Totals:
Received: 18727490
Analyzed: 18726026 ( 99.992%)
Dropped: 1124 ( 0.006%)
Filtered: 0 ( 0.000%)
Outstanding: 1464 ( 0.008%)
Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 18726026 (100.000%)
VLAN: 9542633 ( 50.959%)
IP4: 18469222 ( 98.629%)
Frag: 96 ( 0.001%)
ICMP: 19686 ( 0.105%)
UDP: 209555 ( 1.119%)
TCP: 18094459 ( 96.627%)
IP6: 49 ( 0.000%)
IP6 Ext: 56 ( 0.000%)
IP6 Opts: 7 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 16 ( 0.000%)
UDP6: 33 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
EAPOL: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 7757 ( 0.041%)
IPX: 0 ( 0.000%)
Eth Loop: 7626 ( 0.041%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 115831 ( 0.619%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 115831 ( 0.619%)
Other: 270967 ( 1.447%)
Bad Chk Sum: 9421212 ( 50.311%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 0 ( 0.000%)
S5 G 2: 0 ( 0.000%)
Total: 18726026
===============================================================================
Action Stats:
Alerts: 0 ( 0.000%)
Logged: 0 ( 0.000%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 0
Verdicts:
Allow: 18715211 ( 99.934%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 10815 ( 0.058%)
Blacklist: 0 ( 0.000%)
Ignore: 0 ( 0.000%)
===============================================================================
Frag3 statistics:
Total Fragments: 0
Frags Reassembled: 0
Discards: 0
Memory Faults: 0
Timeouts: 0
Overlaps: 0
Anomalies: 0
Alerts: 0
Drops: 0
FragTrackers Added: 0
FragTrackers Dumped: 0
FragTrackers Auto Freed: 0
Frag Nodes Inserted: 0
Frag Nodes Deleted: 0
===============================================================================
Stream5 statistics:
Total sessions: 79147
TCP sessions: 20411
UDP sessions: 58736
ICMP sessions: 0
IP sessions: 0
TCP Prunes: 0
UDP Prunes: 0
ICMP Prunes: 0
IP Prunes: 0
TCP StreamTrackers Created: 20434
TCP StreamTrackers Deleted: 20434
TCP Timeouts: 155
TCP Overlaps: 0
TCP Segments Queued: 3
TCP Segments Released: 3
TCP Rebuilt Packets: 0
TCP Segments Used: 0
TCP Discards: 5828513
TCP Gaps: 0
UDP Sessions Created: 58736
UDP Sessions Deleted: 58736
UDP Timeouts: 0
UDP Discards: 0
Events: 101793
Internal Events: 0
TCP Port Filter
Dropped: 0
Inspected: 0
Tracked: 8813272
UDP Port Filter
Dropped: 0
Inspected: 0
Tracked: 58736
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
POST methods: 0
GET methods: 0
HTTP Request Headers extracted: 0
HTTP Request Cookies extracted: 0
Post parameters extracted: 0
HTTP response Headers extracted: 22783
HTTP Response Cookies extracted: 0
Unicode: 0
Double unicode: 0
Non-ASCII representable: 0
Directory traversals: 0
Extra slashes ("//"): 0
Self-referencing paths ("./"): 0
HTTP Response Gzip packets extracted: 0
Gzip Compressed Data Processed: n/a
Gzip Decompressed Data Processed: n/a
Total packets processed: 4714892
===============================================================================
SMTP Preprocessor Statistics
Total sessions : 0
Max concurrent sessions : 0
===============================================================================
dcerpc2 Preprocessor Statistics
Total sessions: 0
===============================================================================
SSL Preprocessor:
SSL packets decoded: 14797
Client Hello: 921
Server Hello: 181
Certificate: 178
Server Done: 988
Client Key Exchange: 734
Server Key Exchange: 135
Change Cipher: 1056
Finished: 0
Client Application: 11296
Server Application: 196
Alert: 384
Unrecognized records: 1069
Completed handshakes: 0
Bad handshakes: 0
Sessions ignored: 196
Detection disabled: 357
===============================================================================
SIP Preprocessor Statistics
Total sessions: 28
SIP anomalies : 5378
Total dialogs: 5415
Requests: 10885
invite: 0
cancel: 0
ack: 0
bye: 0
register: 6415
options: 4470
refer: 0
subscribe: 0
update: 0
join: 0
info: 0
message: 0
notify: 0
prack: 0
Responses: 8329
1xx: 0
2xx: 5761
3xx: 0
4xx: 2568
5xx: 0
6xx: 0
7xx: 0
8xx: 0
9xx: 0
Ignore sessions: 0
Ignore channels: 0
===============================================================================
Reputation Preprocessor Statistics
Total Memory Allocated: 0
===============================================================================
When I check the log however it is zero?
# ls -lh /var/log/snort | grep u2
-rw------- 1 root _snort 0B Dec 11 04:22 snort.u2.1355199721
-rw------- 1 root _snort 0B Dec 11 04:40 snort.u2.1355200803
-rw------- 1 root _snort 0B Dec 11 04:45 snort.u2.1355201144
-rw------- 1 root _snort 0B Dec 11 04:57 snort.u2.1355201878
-rw------- 1 root _snort 0B Dec 11 05:00 snort.u2.1355202000
-rw------- 1 _snort _snort 0B Dec 11 05:10 snort.u2.1355202643
-rw------- 1 _snort _snort 0B Dec 11 05:46 snort.u2.1355204787
-rw------- 1 _snort _snort 0B Dec 11 05:49 snort.u2.1355204999
-rw------- 1 _snort _snort 0B Dec 11 06:42 snort.u2.1355208140
-rw------- 1 _snort _snort 0B Dec 11 06:48 snort.u2.1355208486
-rw------- 1 _snort _snort 0B Dec 11 06:51 snort.u2.1355208715
-rw------- 1 _snort _snort 0B Dec 11 07:06 snort.u2.1355209617
-rw------- 1 _snort _snort 0B Dec 11 07:23 snort.u2.1355210584
-rw------- 1 _snort _snort 0B Dec 11 07:26 snort.u2.1355210817
-rw------- 1 _snort _snort 0B Dec 11 07:39 snort.u2.1355211572
-rw------- 1 _snort _snort 0B Dec 11 07:41 snort.u2.1355211712
-rw------- 1 _snort _snort 0B Dec 11 07:44 snort.u2.1355211850
-rw------- 1 _snort _snort 0B Dec 11 07:54 snort.u2.1355212478
-rw------- 1 _snort _snort 0B Dec 11 07:57 snort.u2.1355212654
-rw------- 1 _snort _snort 0B Dec 11 08:01 snort.u2.1355212873
-rw------- 1 _snort _snort 0B Dec 11 08:02 snort.u2.1355212968
-rw------- 1 _snort _snort 0B Dec 11 08:08 snort.u2.1355213280
Of course this means that Barnyard2 won't be able to collect any
information to pass through to MySQL for Base to communicate to me.
I have also tried with the -v verbose flag on startup but didn't see
much of a different output....
Why are my logs coming up as zero?
Regards,
Kaya
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: MySQL support for Snort 2.9.4, (continued)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 JJC (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Joel Esler (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Russ Combs (Dec 12)
- Re: MySQL support for Snort 2.9.4 waldo kitty (Dec 12)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 12)