LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-17-2004, 08:30 AM   #1
FragInHell
Member
 
Registered: Sep 2003
Location: Sydney Australia
Distribution: Redhat, Centos, Solaris, Ubuntu, SUSE
Posts: 282

Rep: Reputation: 45
Snort and Logging to Mysql.


Hi Guys,
I've been racking my brain now for a few days and I can't seem to get any further.
I've running Fedora Core 2, I've installed Mysql from the standard distro rpm and I'm using phpmyadmin and all is working fine. I've also installed snort and configured it to log into mysql ('ive created the tables etc from the contrib directory).
I ran snort -c /etc/snort/snort.conf -T with the following results (I'm sure its logging into mysql as i can see it from phpmyadmin and it creates an entry in the sensor table.)

database: compiled support for ( mysql )
database: configured to use mysql
database: user = snort
database: password is set
database: database name = snort
database: host = localhost
database: sensor name = xxx.xxx.xxx.xxx
database: sensor id = 3
database: schema version = 106
database: using the "log" facility

I've checked the /var/log/snort/alerts file and snort is generating alerts but I'm not seeing any events on the mysql events table (I've also using Acid which is not reporting any alerts)
I'm running this on my latop which is DHCP but I've assigned the netwtorks that I use in my snort file (below for reference).
Any help is welcomed, thanks.

var HOME_NET [xxx.xxx.xxx.xxx/8,xxx.xxx.xxx.xxx/24]

var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
output database: log, mysql, user=xxxxx password=xxxxxx dbname=xxxxx host=localhost
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/experimental.rules
 
Old 09-17-2004, 09:55 AM   #2
zuessh
Member
 
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247

Rep: Reputation: 30
Just a quick thought, did you edit the acid_conf.php to include your database information?
 
Old 09-17-2004, 02:41 PM   #3
FragInHell
Member
 
Registered: Sep 2003
Location: Sydney Australia
Distribution: Redhat, Centos, Solaris, Ubuntu, SUSE
Posts: 282

Original Poster
Rep: Reputation: 45
I did. I don't thing the problem is Acid. Is I'm looking at the tables in phpmyadmin (or directly). I think the problem is from snort to mysql. I did use the contrib stuff to create the mysql database and the extra stuff to to populate it etc, and I can see the sensor table has a few ip's so I'm sure its access the DB ok, just why is not logging is the problem. Thanks for the suggestion anyway.
 
Old 09-18-2004, 05:16 PM   #4
moonloader
Member
 
Registered: Nov 2003
Location: linuxquestions.org
Distribution: Linux and BSD
Posts: 229

Rep: Reputation: 30
hi!
try to find this book called snort_acid_rh9.pdf and follow the instractions,if you just need snort and mysql then read those sections.it is really easy in Fedora core!

I think you cab find this snort_acid_rh9.pdf book from www.snort.org

good luck!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
snort logging to database ilnli Linux - General 14 04-08-2005 12:55 PM
Snort not logging Dogit Linux - Security 11 03-06-2005 03:22 PM
snort alert and logging wilcsnyder Linux - Security 1 08-16-2004 07:08 PM
Snort: ACID, not logging. securityguru Linux - Security 1 07-25-2003 08:36 AM
snort not logging? zuessh Linux - Security 9 05-30-2003 06:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration