configuring my snort to log to mysql

linuxtommy · 09-06-2004, 05:57 AM

Hi!
I've been trying to get my SNORT to log to a mysql database. I'm working on an assignment and really need this to work. It doesn't matter wether the database is local or not. My problem is that I doestn't seem to get SNORT to start my database. It looks like this when i run snort:
[root@localhost root]# snort -vi eth1 -A full -c /root/snort-2.2.0/etc/snort.conf
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth1

--== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface eth1
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /root/snort-2.2.0/etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
Self preservation threshold: 500
Self preservation period: 90
Suspend threshold: 1000
Suspend period: 30
WARNING /root/snort-2.2.0/etc/snort.conf(261) => Unknown stream4: option: enable_evasion_alerts
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: ACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
flush_data_diff_size: 500
Ports: 21 23 25 53 80 110 111 143 513 1433
Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /root/snort-2.2.0/etc/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory: YES alert: NO
Apache WhiteSpace: YES alert: YES
IIS Delimiter: YES alert: YES
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
command line overrides rules file alert plugin!
command line overrides rules file alert plugin!
command line overrides rules file alert plugin!
command line overrides rules file alert plugin!
command line overrides rules file alert plugin!
2044 Snort rules read...
2044 Option Chains linked into 221 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10
| gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60
+-----------------------[suppression]------------------------------------------
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->alert->pass->log->redalert

--== Initialization Complete ==--

-*> Snort! <*-
Version 2.1.3 (Build 27)
By Martin Roesch

My snort.conf looks like this:

var HOME_NET any

var EXTERNAL_NET any

var DNS_SERVERS $HOME_NET

var SMTP_SERVERS $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET

var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

var RULE_PATH ../rules

preprocessor flow: stats_interval 0 hash 2

preprocessor frag2

preprocessor stream4: enable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor telnet_decode

host=10.231.144.22
host=10.231.144.22
output database: log, mysql, user=root password=mysql dbname=snort host=localhost
output database: alert, mysql, user=root password=mysql dbname=snort host=localhost
ruletype redalert
{
type alert
output alert_syslog: LOG_AUTH LOG_ALERT
host=10.231.144.22
host=10.231.144.22
output database: log, mysql, user=root password=mysql dbname=snort host=localhost
output database: log, mysql, user=root password=mysql dbname=snort host=localhost
}
include classification.config

include reference.config

include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/ping.rules

Can anyone help me?

Hangdog42 · 09-06-2004, 08:04 AM

Quote:

My problem is that I doestn't seem to get SNORT to start my database

Maybe I'm misunderstanding you, but you have to have mySQL up and running (with a properly configured datatbase)
for Snort to use. Snort isn't going to start the datatbase for you.

There is an excellent how-to on the Snort site on getting Snort, MySQL and Aide to run on an RH system. Even if you
aren't using RH, it will give you plenty of advice on how to get this working.

linuxtommy · 09-06-2004, 09:15 AM

The mysql database is up and running, with the correct database and tables (described in the documents directory in snort) from the ./contrib/create_mysql file.

I manage to generate verbose alerts, so I see them. But they don't store in my database..

I'v tried using the documents on the snort homepages, without any success..

Hangdog42 · 09-06-2004, 01:33 PM

OK, if mysql is running, can you log into it with the same account you are having snort use? Also have a look in your mysql error logs (usually in the directory with your databases) and see what kind of complaining is going on.

linuxtommy · 09-08-2004, 02:27 AM

I have no problems logging into snort myself. I can log in and view the tables, only none of them contain anything. I've gone throug my errorlogs, but there doesn't seem to be a problem. The only thing it complains about is beeing given another emmory adress than it asks for.

I think the problem is that snort don't understand that I want it to write to the database. When i start snort I do not get a message that says that it is logged in to my database. Nor do I get an error saying that it can't log in.

Hangdog42 · 09-08-2004, 08:14 AM

I'll post the relevant section of my snort configuration file when I get home tonight, but I believe that all it involved was uncommenting the mysql line and changing the user and passwords to match the snort mysql user.

Hangdog42 · 09-08-2004, 05:04 PM

Look carefully at the line I've got uncommented. It is a bit in front of the line you show in your snort.conf and I'm guessing that you need to do what I did.

Code:

# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.
# General configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments.  Win32 can also
# optionally specify a particular hostname/port.  Under Win32, the
# default hostname is '127.0.0.1', and the default port is 514.
#
# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT
#
# [Win32 can use any of these formats...]
# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
 output database: log, mysql, user=snort password=snortpassword dbname=snort host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test

linuxtommy · 09-09-2004, 03:31 AM

Thank you very much for your help.

I have now solved the problem. I had to change a line in my Makefile after running configure.

In line 171 you find:
LIBS = -lz -lpcre -lpcap -lm -lnsl -lmysqlclient

This I changed to:
LIBS = -lz -lpcap -lm -lnsl -lmysqlclient -lz -lpcre

I'm not exactly sure why this works, but it has something to do with the order in wich the libs are installed.