|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: alexus (ml
db.nexgen.com)Date: Tue Apr 10 2001 - 00:31:20 CDT
this is ldd output for you
bash-2.04$ ldd /usr/local/bin/snort
/usr/local/bin/snort:
libpcap.so.2 => /usr/lib/libpcap.so.2 (0x28102000)
libm.so.2 => /usr/lib/libm.so.2 (0x2811b000)
libmysqlclient.so.10 =>
/usr/local/mysql/lib/mysql/libmysqlclient.so.10 (0x28136000)
libc.so.4 => /usr/lib/libc.so.4 (0x28151000)
libz.so.2 => /usr/lib/libz.so.2 (0x281e6000)
libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x281f3000)
bash-2.04$
heh ok
i'm goin try snort-daily.tar.gz now..
----- Original Message -----
From: "shawn . moyer" <shawnnet-connect.net>
To: "alexus" <mldb.nexgen.com>
Cc: "Roman Danyliw" <romandanyliw.com>; <joeySiliconDefense.com>;
<snort-userslists.sourceforge.net>
Sent: Tuesday, April 10, 2001 1:21 AM
Subject: Re: [Snort-users] snort won't log anything in mysql
>
> Prolly on snort.org as well, but I usually get it from the Sourceforge
> page:
>
> http://snort.sourceforge.net/snort-daily.tar.gz
>
> Okay, one more: can you paste the output of "ldd /your/path/to/snort" ?
> Just curious.
>
> Man, when you *do* get this working, please post to the list. This has
> got to be the longest installation-type support thread I've seen.
>
>
>
> --shawn
>
>
> alexus wrote:
> >
> > i'm wondering how exactly you detect that my version of spo_database.c
is
> > old..
> >
> > and another question how can i update my spo_database.c ?
> >
> > although i got snort 1.7
> >
> > i dont see any newer snort version on their website
> >
> > ----- Original Message -----
> > From: "Roman Danyliw" <romandanyliw.com>
> > To: "alexus" <mldb.nexgen.com>; "shawn . moyer"
<shawnnet-connect.net>;
> > <joeySiliconDefense.com>
> > Cc: <snort-userslists.sourceforge.net>
> > Sent: Monday, April 09, 2001 11:43 PM
> > Subject: RE: [Snort-users] snort won't log anything in mysql
> >
> > > The database plug-in (spo_database.c) in the latest version of Snort
from
> > > CVS
> > >
> > > > -----Original Message-----
> > > > From: alexus [mailto:mldb.nexgen.com]
> > > > Sent: Monday, April 09, 2001 10:19 PM
> > > > To: Roman Danyliw; shawn . moyer; joeySiliconDefense.com
> > > > Cc: snort-userslists.sourceforge.net
> > > > Subject: Re: [Snort-users] snort won't log anything in mysql
> > > >
> > > >
> > > > i run snort 1.7
> > > > i run acid 0.9.6b7
> > > > i run adodb 095
> > > > i run mysql 3.23.36
> > > >
> > > > all latest software...
> > > >
> > > > which DB plug-in are we talking about?
> > > >
> > > > ----- Original Message -----
> > > > From: "Roman Danyliw" <romandanyliw.com>
> > > > To: "alexus" <mldb.nexgen.com>; "shawn . moyer"
> > <shawnnet-connect.net>;
> > > > <joeySiliconDefense.com>
> > > > Cc: <snort-userslists.sourceforge.net>
> > > > Sent: Monday, April 09, 2001 8:27 PM
> > > > Subject: RE: [Snort-users] snort won't log anything in mysql
> > > >
> > > >
> > > > > From your snort output, it looks like you are not running the
> > > > latest code
> > > > in
> > > > > CVS (i.e.: not the latest DB plug-in code). Check the latest copy
and
> > > > then
> > > > > try Joe's test case.
> > > > >
> > > > > Roman
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: alexus [mailto:mldb.nexgen.com]
> > > > > > Sent: Monday, April 09, 2001 4:57 PM
> > > > > > To: shawn . moyer
> > > > > > Cc: snort-userslists.sourceforge.net; romandanyliw.com
> > > > > > Subject: Re: [Snort-users] snort won't log anything in mysql
> > > > > >
> > > > > >
> > > > > > yes, I went to that website and did all those steps..
> > > > > >
> > > > > > mysql> select * from user where user='alexus';
> > > > > >
+-----------+--------+------------------+-------------+-----------
> > > > > > --+-------
> > > > >
> ------+-------------+-------------+-----------+-------------+-----
> > > > > > ----------
> > > > > >
+--------------+-----------+------------+-----------------+-------
> > > > > > -----+----
> > > > > > --------+
> > > > > > | Host | User | Password | Select_priv |
Insert_priv
> > |
> > > > > > Update_priv | Delete_priv | Create_priv | Drop_priv |
Reload_priv |
> > > > > > Shutdown_priv | Process_priv | File_priv | Grant_priv |
> > > > References_priv
> > > > |
> > > > > > Index_priv | Alter_priv |
> > > > > >
+-----------+--------+------------------+-------------+-----------
> > > > > > --+-------
> > > > >
> ------+-------------+-------------+-----------+-------------+-----
> > > > > > ----------
> > > > > >
+--------------+-----------+------------+-----------------+-------
> > > > > > -----+----
> > > > > > --------+
> > > > > > | localhost | alexus | 34484ed463a66850 | Y | Y
> > > > | N
> > > > > > | Y | N | N | N | N
> > > > |
> > > > N
> > > > > > | N | N | N | N | N
> > |
> > > > > >
+-----------+--------+------------------+-------------+-----------
> > > > > > --+-------
> > > > >
> ------+-------------+-------------+-----------+-------------+-----
> > > > > > ----------
> > > > > >
+--------------+-----------+------------+-----------------+-------
> > > > > > -----+----
> > > > > > --------+
> > > > > > 1 row in set (0.00 sec)
> > > > > >
> > > > > > mysql>
> > > > > >
> > > > > > here is snort without -D
> > > > > >
> > > > > > su-2.04# snort -c snort.conf
> > > > > >
> > > > > > --== Initializing Snort ==--
> > > > > >
> > > > > > Initializing Network Interface fxp0
> > > > > > Decoding Ethernet on interface fxp0
> > > > > > Initializing Preprocessors!
> > > > > > Initializing Plug-ins!
> > > > > > Initializating Output Plugins!
> > > > > >
> > > > > > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > > > > > Initializing rule chains...
> > > > > > database: compiled support for ( mysql )
> > > > > > database: configured to use mysql
> > > > > > database: user = xxx
> > > > > > database: database name = xxx
> > > > > > database: host = xxx
> > > > > > database: password is set
> > > > > > database: sensor name = xxx.xx.xxx.xx
> > > > > > database: sensor id = 1
> > > > > > database: using the "log" facility
> > > > > > 845 Snort rules read...
> > > > > > 845 Option Chains linked into 130 Chain Headers
> > > > > > 0 Dynamic rules
> > > > > > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > > > > >
> > > > > > Rule application
> > > > order: ->activation->dynamic->alert->log->pass->redalert
> > > > > >
> > > > > > --== Initialization Complete ==--
> > > > > >
> > > > > > -*> Snort! <*-
> > > > > > Version 1.7
> > > > > > By Martin Roesch (roeschclark.net, www.snort.org)
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "shawn . moyer" <shawnnet-connect.net>
> > > > > > To: "alexus" <mldb.nexgen.com>
> > > > > > Cc: <snort-userslists.sourceforge.net>; <romandanyliw.com>
> > > > > > Sent: Monday, April 09, 2001 3:33 PM
> > > > > > Subject: Re: [Snort-users] snort won't log anything in mysql
> > > > > >
> > > > > >
> > > > > > > Have you followed all the docs to set the database up from
> > > > > > >
> > > > > > > http://www.incident.org/snortdb ?
> > > > > > >
> > > > > > > i.e. do you have a user in mysql that has create, insert, and
> > select
> > > > > > > privileges, and have you ran the create_mysql script from
> > > > the contrib
> > > > > > > directory?
> > > > > > >
> > > > > > > Also, you might try running snort in the foreground (without
> > the -D)
> > > > and
> > > > > > > see what messages you see.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --shawn
> > > > > > >
> > > > > > > alexus wrote:
> > > > > > > >
> > > > > > > > mysql> select * from event;
> > > > > > > > Empty set (0.00 sec)
> > > > > > > >
> > > > > > > > mysql>
> > > > > > > >
> > > > > > > > when I used to use -s i saw snort messages there... but
> > > > now no more
> > > > > > since i
> > > > > > > > remove -s
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: <romandanyliw.com>
> > > > > > > > To: "alexus" <mldb.nexgen.com>; "shawn . moyer"
> > > > > > <shawnnet-connect.net>;
> > > > > > > > <snort-userslists.sourceforge.net>
> > > > > > > > Sent: Monday, April 09, 2001 8:32 AM
> > > > > > > > Subject: Re: [Snort-users] SNORT WON'T LOG ANYTHING IN MYSQL
> > > > > > > >
> > > > > > > > > There is indeed a verbose mode in ACID. Set $debug_mode=1
> > > > > > > > > in acid_conf.php. However, I doubt this will help you
much if
> > > > > > > > > Snort is not logging to the database correctly. Try
> > > > the following
> > > > > > > > > SQL from the mysql client:
> > > > > > > > >
> > > > > > > > > mysql> SELECT count(*) FROM event;
> > > > > > > > >
> > > > > > > > > If the count is 0, it is a safe bet that Snort is
> > misconfigured.
> > > > As
> > > > > > > > > a side note, are you seeing these alerts in syslog or a
> > > > flat file?
> > > > > > > > >
> > > > > > > > > Roman
> > > > > > > > >
> > > > > > > > > > i've tryed -Dc..
> > > > > > > > > >
> > > > > > > > > > I still dont think it logs anything...
> > > > > > > > > >
> > > > > > > > > > is there any verbose mode for acid? i can see what's
goin
> > on?
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > ----- Original Message -----
> > > > > > > > > > From: "shawn . moyer" <shawnnet-connect.net>
> > > > > > > > > > To: "alexus" <mldb.nexgen.com>
> > > > > > > > > > Cc: <snort-userslists.sourceforge.net>
> > > > > > > > > > Sent: Monday, April 09, 2001 10:45 AM
> > > > > > > > > > Subject: Re: [Snort-users] SNORT WON'T LOG ANYTHING IN
MYSQL
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > alexus wrote:
> > > > > > > > > > >
> > > > > > > > > > > > snort -Dsc snort.conf
> > > > > > > > > > >
> > > > > > > > > > > < snort -Dsc snort.conf
> > > > > > > > > > > > snort -Dc snort.conf
> > > > > > > > > > >
> > > > > > > > > > > The -s tells it to log to syslog instead of what you
> > specify
> > > > in
> > > > > > > > > > > snort.conf.
> > > > > > > > > > >
> > > > > > > > > > > You know when you start it and you get the message
that
> > says
> > > > > > "Command
> > > > > > > > > > > line options override plugin(s)!"? That's why.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > p.s. CAPS = SHOUTING
> > > > > > > > > > >
> > > > > > > > > > > --shawn
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > >
> > > > > > > > > > > s h a w n m o y e r
> > > > > > > > > > > shawnnet-connect.net
> > > > > > > > > > >
> > > > > > > > > > > "Nuclear war would really set back cable."
> > > > > > > > > > > -- Ted Turner
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Snort-users mailing list
> > > > > > > > > > Snort-userslists.sourceforge.net
> > > > > > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > > > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > > > > Snort-users list archive:
> > > > > > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > ---------------------------------------------
> > > > > > > > > This message was sent using Voicenet WebMail.
> > > > > > > > > http://www.voicenet.com/webmail/
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Snort-users mailing list
> > > > > > > > Snort-userslists.sourceforge.net
> > > > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > > > Snort-users list archive:
> > > > > > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > >
> > > > > > > s h a w n m o y e r
> > > > > > > shawnnet-connect.net
> > > > > > >
> > > > > > > "Nuclear war would really set back cable."
> > > > > > > -- Ted Turner
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-userslists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
>
> s h a w n m o y e r
> shawnnet-connect.net
>
> "Nuclear war would really set back cable."
> -- Ted Turner
>
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]