LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 03-28-2005, 02:21 AM   #1
ilnli
Member
 
Registered: Jul 2004
Location: Pakistan
Distribution: Slackware 10.0, SUSE 9.1, RH 7, 7.3, 8, 9, FC2
Posts: 413

Rep: Reputation: 32
Angry snort logging to database


can anybody tell me how to enable snort to log its output to mysql.
cause I have uncomment a line in its snort.conf file

ouput database: mysql user=root password=.......bla bla bla

but still it is not logging in the database.
 
Old 03-28-2005, 07:34 PM   #2
auximini
Member
 
Registered: Dec 2003
Location: Calgary, AB
Distribution: Any!
Posts: 146

Rep: Reputation: 18
Are you sure it looks like this:
Code:
output database: log, mysql, user=snort password=pass123 dbname=snort host=localhost
Does it log alerts correctly to a file? Are the permissions correct for user snort on the database?

Also, make sure your HOME_NET and EXTERNAL_NET variables are set up correctly. That's what messed me up the first time.
 
Old 03-28-2005, 09:26 PM   #3
listlow
LQ Newbie
 
Registered: Mar 2005
Posts: 10

Rep: Reputation: 0
here are the setting that i set on my snort.conf, hope it help:-

"output alert_syslog: LOG_AUTH LOG_ALERT"

"output database: log, mysql, user=snort password=password dbname=snortdb host=localhost"

"include threshold.conf
output alert_fwsam:127.0.0.1/snort"

of coz the HOME_NET and EXTERNAL_NET must be configure correctly.

Last edited by listlow; 03-28-2005 at 09:30 PM.
 
Old 04-01-2005, 07:40 AM   #4
njugs79
Member
 
Registered: Jan 2005
Posts: 37

Rep: Reputation: 15
Hi. My input:; To star trom the beginning:

Just make sure you have MySQL installed in your ssytem with all the relevant dependencies.
Then create a database (say, SNORT) that snort will use to log itself (Make sure to configure users for the same database).

Install php-4.***** and php-mysql-4.**** (You will need these too!).
Create another database (say, SNORTCENTER) and grant appropriate rights to users of the database.

Download snortcenter-beta from http://users.pandora.be/larc/download/ . Edit the config.php file in the snortcenter folder. This will incude the $DBlib_path, $DB_User (to "snortcenter"), $DB_password and $hidden_key_num. If you have a proxy, set the $proxy variable as well.

Access your snort management console. Select an output plugin/create a new one. Select Database (log to a variety of databases). In the pop-up screen that appears, set your sensor name, db name (in this case snort), db type (here, MySQL), db host........User, password, Ruletype (here, put "log"). Leave there rest of the fields blank.

Theres a good document you can read up on http://www.superhac.com/

The document is written for RedHat9 but am sure the concept is still the same.

Good luck.
 
Old 04-03-2005, 03:00 PM   #5
ilnli
Member
 
Registered: Jul 2004
Location: Pakistan
Distribution: Slackware 10.0, SUSE 9.1, RH 7, 7.3, 8, 9, FC2
Posts: 413

Original Poster
Rep: Reputation: 32
Error loading the DB Abstraction library: from "./adodb/adodb.inc.php"

Check the DB abstraction library variable $DBlib_path in acid_conf.php

The underlying database library currently used is ADODB, that can be downloaded at http://php.weblogs.com/adodb

-------=-===============-=--------

this is the error my mozilla has given to me
 
Old 04-03-2005, 03:06 PM   #6
ilnli
Member
 
Registered: Jul 2004
Location: Pakistan
Distribution: Slackware 10.0, SUSE 9.1, RH 7, 7.3, 8, 9, FC2
Posts: 413

Original Poster
Rep: Reputation: 32
my HOME_NET and EXTERNAL_NET are set to "any"
 
Old 04-03-2005, 03:07 PM   #7
ilnli
Member
 
Registered: Jul 2004
Location: Pakistan
Distribution: Slackware 10.0, SUSE 9.1, RH 7, 7.3, 8, 9, FC2
Posts: 413

Original Poster
Rep: Reputation: 32
this is my snort.conf
Code:
#--------------------------------------------------
#   http://www.snort.org     Snort 2.1.0 Ruleset
#     Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
# $Id: snort.conf,v 1.142.2.2 2004/08/05 18:55:37 jhewlett Exp $
#
###################################################
# This file contains a sample snort configuration. 
# You can take the following steps to create your own custom configuration:
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect your local network. The
# variable is currently setup for an RFC 1918 address space.
#
# You can specify it explicitly as: 
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which you run
# snort at.  Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [127.0.0.1/8,10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:

var HOME_NET any

# Set up the external network addresses as well.  A good start may be "any"
var EXTERNAL_NET any

# Configure your server lists.  This allows snort to only look for attacks to
# systems that have a service up.  Why look for HTTP attacks if you are not
# running a web server?  This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.  

# List of DNS servers on your network 
var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network 
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET

# Configure your service ports.  This allows snort to look for attacks destined
# to a specific application only on the ports that application runs on.  For
# example, if you run a web server on port 8081, set your HTTP_PORTS variable
# like this:
#
# var HTTP_PORTS 8081
#
# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
# We will adding support for a real list of ports in the future.

# Ports you run web servers on
#
# Please note:  [80,8080] does not work.
# If you wish to define multiple HTTP ports,
# 
## var HTTP_PORTS 80 
## include somefile.rules 
## var HTTP_PORTS 8080
## include somefile.rules 
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

# other variables
# 
# AIM servers.  AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of servers.
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\rules
#var RULE_PATH /etc/snort/rules

# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when a TCP option is detected
# that shows T/TCP being actively used on the network.  If this is normal
# behavior for your network, disable the next option.
#
# config disable_tcpopt_ttcp_alerts
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts

# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a machine with very limited
# resources:
#
# config detection: search-method lowmem

###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of 
# the form
# preprocessor <name_of_processor>: <configuration_options>

# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan detector
# is implemented but in the long term,  many of the stateful subsystems of
# snort will be migrated over to becoming flow plugins. This must be enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#
preprocessor flow: stats_interval 0 hash 2

# frag2: IP defragmentation support
# -------------------------------
# This preprocessor performs IP defragmentation.  This plugin will also detect
# people launching fragmentation attacks (usually DoS) against hosts.  No
# arguments loads the default configuration of the preprocessor, which is a 60
# second timeout and a 4MB fragment buffer. 

# The following (comma delimited) options are available for frag2
#    timeout [seconds] - sets the number of [seconds] that an unfinished 
#                        fragment will be kept around waiting for completion,
#                        if this time expires the fragment will be flushed
#    memcap [bytes] - limit frag2 memory usage to [number] bytes
#                      (default:  4194304)
#
#    min_ttl [number] - minimum ttl to accept
# 
#    ttl_limit [number] - difference of ttl to accept without alerting
#                         will cause false positves with router flap
# 
# Frag2 uses Generator ID 113 and uses the following SIDS 
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Oversized fragment (reassembled frag > 64k bytes)
#   2       Teardrop-type attack

preprocessor frag2

# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat stick/snot
# against TCP rules.  Also performs full TCP stream reassembly, stateful
# inspection of TCP streams, etc.  Can statefully detect various portscan
# types, fingerprinting, ECN, etc.

# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
# options (options are comma delimited):
#   detect_scans - stream4 will detect stealth portscans and generate alerts
#                  when it sees them when this option is set
#   detect_state_problems - detect TCP state problems, this tends to be very
#                           noisy because there are a lot of crappy ip stack
#                           implementations out there
#
#   disable_evasion_alerts - turn off the possibly noisy mitigation of
#                            overlapping sequences.
#
#
#   min_ttl [number]       - set a minium ttl that snort will accept to
#                            stream reassembly
#
#   ttl_limit [number]     - differential of the initial ttl on a session versus
#                             the normal that someone may be playing games.
#                             Routing flap may cause lots of false positives.
# 
#   keepstats [machine|binary] - keep session statistics, add "machine" to 
#                         get them in a flat format for machine reading, add
#                         "binary" to get them in a unified binary output 
#                         format
#   noinspect - turn off stateful inspection only
#   timeout [number] - set the session timeout counter to [number] seconds,
#                      default is 30 seconds
#   memcap [number] - limit stream4 memory usage to [number] bytes
#   log_flushed_streams - if an event is detected on a stream this option will
#                         cause all packets that are stored in the stream4
#                         packet buffers to be flushed to disk.  This only 
#                         works when logging in pcap mode!
#
# Stream4 uses Generator ID 111 and uses the following SIDS 
# for that GID:
#  SID     Event description
# -----   -------------------
#   1       Stealth activity
#   2       Evasive RST packet
#   3       Evasive TCP packet retransmission
#   4       TCP Window violation
#   5       Data on SYN packet
#   6       Stealth scan: full XMAS
#   7       Stealth scan: SYN-ACK-PSH-URG
#   8       Stealth scan: FIN scan
#   9       Stealth scan: NULL scan
#   10      Stealth scan: NMAP XMAS scan
#   11      Stealth scan: Vecna scan
#   12      Stealth scan: NMAP fingerprint scan stateful detect
#   13      Stealth scan: SYN-FIN scan
#   14      TCP forward overlap

#preprocessor stream4: disable_evasion_alerts
#Imran's Edited
preprocessor stream4: detect_scans detect_state_problems

# tcp stream reassembly directive
# no arguments loads the default configuration 
#   Only reassemble the client,
#   Only reassemble the default list of ports (See below),  
#   Give alerts for "bad" streams
#
# Available options (comma delimited):
#   clientonly - reassemble traffic for the client side of a connection only
#   serveronly - reassemble traffic for the server side of a connection only
#   both - reassemble both sides of a session
#   noalerts - turn off alerts from the stream reassembly stage of stream4
#   ports[list] - use the space separated list of ports in[list], "all" 
#                  will turn on reassembly for all ports, "default" will turn
#                  on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
#                  and 513

#preprocessor stream4_reassemble
#Imran's Edited
preprocessor stream4_reassemble: ports all

# http_inspect: normalize and detect HTTP traffic and protocol anomalies
#
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252 

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500

#
#  Example unqiue server configuration
#
#preprocessor http_inspect_server: server 1.1.1.1 \
#    ports { 80 3128 8080 } \
#    flow_depth 0 \
#    ascii no \
#    double_decode yes \
#    non_rfc_char { 0x00 } \
#    chunk_length 500000 \
#    non_strict \
#    oversize_dir_length 300 \
#    no_alerts


# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual 4-byte encoding
# that is used by default. This plugin takes the port numbers that RPC
# services are running on as arguments - it is assumed that the given ports
# are actually running this type of service. If not, change the ports or turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
#                            sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
#                       exceeds the current packet size

preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.  Takes no arguments in 2.0.
# 
# The Back Orifice detector uses Generator ID 105 and uses the 
# following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Back Orifice traffic detected

preprocessor bo

# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
# traffic.  It works in much the same way as the http_decode preprocessor,
# searching for traffic that breaks up the normal data stream of a protocol and
# replacing it with a normalized representation of that traffic so that the
# "content" pattern matching keyword can work without requiring modifications.
# This preprocessor requires no arguments.
# Portscan uses Generator ID 109 and does not generate any SID currently.

preprocessor telnet_decode

# Flow-Portscan: detect a variety of portscans
# ---------------------------------------
# Note:  The Flow preprocessor (above) must first be enabled for Flow-Portscan to
# work.
#
# This module detects portscans based off of flow creation in the flow
# preprocessors.  The goal is to catch one->many hosts and one->many
# ports scans.
#
# Flow-Portscan has numerous options available, please read
# README.flow-portscan for help configuring this option. 

# Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       flow-portscan: Fixed Scale Scanner Limit Exceeded
#   2       flow-portscan: Sliding Scale Scanner Limit Exceeded 
#   3       flow-portscan: Fixed Scale Talker Limit Exceeded
#   4	    flow-portscan: Sliding Scale Talker Limit Exceeded

# preprocessor flow-portscan: \
#	talker-sliding-scale-factor 0.50 \
#	talker-fixed-threshold 30 \
#	talker-sliding-threshold 30 \
#	talker-sliding-window 20 \
#	talker-fixed-window 30 \
#	scoreboard-rows-talker 30000 \
#	server-watchnet [10.2.0.0/30] \
#	server-ignore-limit 200 \
#	server-rows 65535 \
#	server-learning-time 14400 \
#	server-scanner-limit 4 \
#	scanner-sliding-window 20 \
#	scanner-sliding-scale-factor 0.50 \
#	scanner-fixed-threshold 15 \
#	scanner-sliding-threshold 40 \
#	scanner-fixed-window 15 \
#	scoreboard-rows-scanner 30000 \
#	src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
#	dst-ignore-net [10.0.0.0/30] \
#	alert-mode once \
#	output-mode msg \
#	tcp-penalties on

# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
# unicast ARP requests, and specific ARP mapping monitoring.  To make use of
# this preprocessor you must specify the IP and hardware address of hosts on
# the same layer 2 segment as you.  Specify one host IP MAC combo per line.
# Also takes a "-unicast" option to turn on unicast ARP request detection. 
# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:

#  SID     Event description
# -----   -------------------
#   1       Unicast ARP request
#   2       Etherframe ARP mismatch (src)
#   3       Etherframe ARP mismatch (dst)
#   4       ARP cache overwrite attack

#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00


# Performance Statistics
# ----------------------
# Documentation for this is provided in the Snort Manual.  You should read it.
# It is included in the release distribution as doc/snort_manual.pdf
# 
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000

####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.  General
# configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments.  Win32 can also optionally
# specify a particular hostname/port.  Under Win32, the default hostname is
# '127.0.0.1', and the default port is 514.
#
# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT
#
# [Win32 can use any of these formats...]
# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
output database: log, mysql, user=root password=lahore dbname=snort host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test

# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging and generating
# alerts from Snort, the "unified" format.  The unified format is a straight
# binary format for logging data out of Snort that is designed to be fast and
# efficient.  Used with barnyard (the new alert/log processor), most of the
# overhead for logging and alerting to various slow storage mechanisms such as
# databases or the network can now be avoided.  
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
#    filename - base filename to write to (current time_t is appended)
#    limit    - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128

# You can optionally define new rule types and associate one or more output
# plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
#
# This example will create a rule type that will log to syslog and a mysql
# database:
# ruletype redalert
# {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE:
# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
#   (msg:"Someone is being LEET"; flags:A+;)

#
# Include classification & priority settings
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\classification.config
#

include classification.config

#
# Include reference systems
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\reference.config
#

include reference.config

####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own custom snort
# rules.
#
# The rules included with this distribution generate alerts based on on
# suspicious activity. Depending on your network environment, your security
# policies, and what you consider to be suspicious, some of these rules may
# either generate false positives ore may be detecting activity you consider to
# be acceptable; therefore, you are encouraged to comment out rules that are
# not applicable in your environment.
#
# The following individuals contributed many of rules in this distribution.
#
# Credits:
#   Ron Gula <rgula@securitywizards.com> of Network Security Wizards
#   Max Vision <vision@whitehats.com>
#   Martin Markgraf <martin@mail.du.gtn.com>
#   Fyodor Yarochkin <fygrave@tigerteam.net>
#   Nick Rogness <nick@rapidnet.com>
#   Jim Forster <jforster@rapidnet.com>
#   Scott McIntyre <scott@whoi.edu>
#   Tom Vandepoel <Tom.Vandepoel@ubizen.com>
#   Brian Caswell <bmc@snort.org>
#   Zeno <admin@cgisecurity.com>
#   Ryan Russell <ryan@securityfocus.com>



#=========================================
# Include all relevant rulesets here 
# 
# The following rulesets are disabled by default:
#
#   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
#   chat, multimedia, and p2p
#            
# These rules are either site policy specific or require tuning in order to not
# generate false positive alerts in most enviornments.
# 
# Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts are triggered.
#=========================================

include local.rules
include bad-traffic.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules
include tftp.rules

include web-cgi.rules
include web-coldfusion.rules
include web-iis.rules
include web-frontpage.rules
include web-misc.rules
include web-client.rules
include web-php.rules

include sql.rules
include x11.rules
include icmp.rules
include netbios.rules
include misc.rules
include attack-responses.rules
include oracle.rules
include mysql.rules
include snmp.rules

include smtp.rules
include imap.rules
include pop2.rules
include pop3.rules

include nntp.rules
include other-ids.rules
# include web-attacks.rules
# include backdoor.rules
# include shellcode.rules
# include policy.rules
# include porn.rules
# include info.rules
# include icmp-info.rules
 include virus.rules
# include chat.rules
# include multimedia.rules
# include p2p.rules
include experimental.rules

# Include any thresholding or suppression commands. See threshold.conf in the
# <snort src>/etc directory for details. Commands don't necessarily need to be
# contained in this conf, but a separate conf makes it easier to maintain them. 
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\threshold.conf
# Uncomment if needed.
# include threshold.conf
 
Old 04-04-2005, 01:01 AM   #8
njugs79
Member
 
Registered: Jan 2005
Posts: 37

Rep: Reputation: 15
Error loading the DB Abstraction library: from "./adodb/adodb.inc.php"

Check the DB abstraction library variable $DBlib_path in acid_conf.php

The underlying database library currently used is ADODB, that can be downloaded at http://php.weblogs.com/adodb

-------=-===============-=--------

this is the error my mozilla has given to me


This looks like an acid/php problem to me. A couple of questions:
Which version of MySQL have youy installed? In particular MySQL server, MySQL-client ad MySQL-shared??? There could be dependency problems with your OS using the new 4.0 shared libraries. Personally i chose to use MySQL-shared-3.23.*-*. I havent had any library problems so far.
Which version of php are you using?

Lastly, looking at the error it mat be worthwhile to FIRST have a look at your acid_conf.php file. Check out the $DBlib_path variable. I edited mine to look as follows:
$DBlib_path="../adodb";

If that doesnt work, then go to the link shown and download and install the quoted linbrary.
 
Old 04-04-2005, 01:08 AM   #9
ilnli
Member
 
Registered: Jul 2004
Location: Pakistan
Distribution: Slackware 10.0, SUSE 9.1, RH 7, 7.3, 8, 9, FC2
Posts: 413

Original Poster
Rep: Reputation: 32
but why snort is logging into the database.
I have use mysqlclient to connect ot mysqlserver it works fine there is no libraray problem. I have created the database snort and tables in it. But still snort is not logging please check my snort.conf file, is there any error in that?
 
Old 04-04-2005, 02:18 AM   #10
njugs79
Member
 
Registered: Jan 2005
Posts: 37

Rep: Reputation: 15
I checked it out and the only defference with what i have are the followig sections:
------------------------------------------------------------------------------
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules
-----------------------------------------------------------------------------

This portion is just for the rules set, so i don't think that is the problem right there. Again, i suggest that you Check the DB abstraction library variable $DBlib_path in acid_conf.php . Its worth having a look and plus THATS WHAT THE ERROR IS POINTING AT. Edit the variable as $DBlib_path="../adodb"; , save changes, restart all services and try things out again.

PS: Any idea what the following error means?

Sensor Message
curl: (7) socket error: 111


I get it when i try and configure my sensor.
 
Old 04-04-2005, 12:47 PM   #11
ilnli
Member
 
Registered: Jul 2004
Location: Pakistan
Distribution: Slackware 10.0, SUSE 9.1, RH 7, 7.3, 8, 9, FC2
Posts: 413

Original Poster
Rep: Reputation: 32
i have removed $RULE_PATH by myself cause I am controlling snort from webmin for that you have to remove $RULE_PATH variable but before removing it, snort was not logging to database.

njugs79 what you are saying I think that does not have to do anything with logging cause let's suppose i am not using acid or snortcenter, but still it should log in database I think there is some other problem which we are not getting at.
 
Old 04-05-2005, 04:38 AM   #12
njugs79
Member
 
Registered: Jan 2005
Posts: 37

Rep: Reputation: 15
Check out this site. ( http://www.snort.org/reg-bin/forums.cgi ) I saw that it may have a couple of relevant threads for this particular topic. I was just going through the forums. Meanwhile, i will keep checking. I wasjust going over the config file and everything seems pretty much ok. Wish i new how exactly you installed everything.
 
Old 04-07-2005, 02:44 PM   #13
ilnli
Member
 
Registered: Jul 2004
Location: Pakistan
Distribution: Slackware 10.0, SUSE 9.1, RH 7, 7.3, 8, 9, FC2
Posts: 413

Original Poster
Rep: Reputation: 32
my snort has started loggin after removing -A option from
/etc/rc.d/rc.snortd file.

Thanx everyone for your time.
 
Old 04-08-2005, 12:54 AM   #14
njugs79
Member
 
Registered: Jan 2005
Posts: 37

Rep: Reputation: 15
Happy snorting then!

Any ideas on the snort sensor message error:

Sensor Message
curl: (7) socket error: 111
 
Old 04-08-2005, 12:55 PM   #15
ilnli
Member
 
Registered: Jul 2004
Location: Pakistan
Distribution: Slackware 10.0, SUSE 9.1, RH 7, 7.3, 8, 9, FC2
Posts: 413

Original Poster
Rep: Reputation: 32
sorry jugs79 as i have'nt came across this error before but I have posted your msg on snort-users@lists.sourceforge.net, I hope soon we will get a reply.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Snort database: Closing connection to database "" Homer Glemkin Linux - Security 2 07-14-2005 06:58 PM
Snort not logging Dogit Linux - Security 11 03-06-2005 03:22 PM
Snort Database Help roastmules Linux - Security 2 02-24-2005 01:05 PM
snort with mysql database zuessh Linux - Security 4 10-18-2004 12:36 AM
snort not logging? zuessh Linux - Security 9 05-30-2003 06:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 07:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration