Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Snort + MySql Server error...

  1. #1

    Snort + MySql Server error...

    SUP...

    I have installed Snort on my linux firewall machine. I am managing it using a windows machine behind it. I used this as a reference

    http://www.sans.org/rr/intrusion/practical_guide.php

    I have worked my way through the whole thing but the second to last step i run into a problem: here is the command im suppose to issue

    snort-mysql+flexresp –v –c /etc/snort/snort.conf

    but i get this error:

    database: compiled support for ( mysql )
    database: configured to use mysql
    database: database name = snort
    database: user = sensor1
    database: host = 192.168.0.69
    database: port = 3306
    database: password is set
    database: sensor name = sensor1
    database: mysql_error: Access denied for user: 'sensor1@192.168.0.1' (Using password: YES)
    Fatal Error, Quitting..

    Now im not sure what to check: for this error im lost on this one: i got a few other ones though this reference but figured those out but not this one: can someone help me and maybe give me an idea on what setting to check:

    Thanks

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    well, iirc......

    you need to get into the mysql command line by typing

    mysql (then hit enter)

    and then, connnect to the database snort shoudl use by typing

    use <name of database here>

    and then, in order to give full access to the user in question(user you are trying to allow from snort)

    /GRANT ALL to <username>@<ipaddress> IDENTIFIED BY <password>

    That should do it, but, you really need to figure out what to do with mysql, as I can't tell you how to do it/make it secure off the top of my head.....

  3. #3
    snort-mysql+flexresp -v -c /etc/snort/snort.conf
    Initializing Output Plugins!
    Log directory = /var/log/snort

    Initializing Network Interface eth0

    --== Initializing Snort ==--
    Decoding Ethernet on interface eth0
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file /etc/snort/snort.conf

    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains...
    http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
    rpc_decode arguments:
    Ports to decode RPC on: 111
    Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: ACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    No arguments to stream4_reassemble, setting defaults:
    Reassemble client: ACTIVE
    Reassemble server: INACTIVE
    Reassemble ports: 21 23 25 53 80 143 110 111 513
    Reassembly alerts: ACTIVE
    Reassembly method: FAVOR_OLD
    Using LOCAL time
    No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl: 0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
    database: compiled support for ( mysql )
    database: configured to use mysql
    database: database name = snort
    database: user = sensor1
    database: host = 192.168.0.69
    database: port = 3306
    database: sensor name = sensor1
    database: detail level = full
    database: mysql_error: Table 'snort.sensor' doesn't exist
    database: mysql_error: Table 'snort.sensor' doesn't exist
    SQL=INSERT INTO sensor (hostname, interface, detail, encoding) VALUES ('sensor1','eth0','1','0')
    database: mysql_error: Table 'snort.sensor' doesn't exist
    database: Problem obtaining SENSOR ID (sid) from snort->sensor

    When this plugin starts, a SELECT query is run to find the sensor id for the
    currently running sensor. If the sensor id is not found, the plugin will run
    an INSERT query to insert the proper data and generate a new sensor id. Then a
    SELECT query is run to get the newly allocated sensor id. If that fails then
    this error message is generated.

    Some possible causes for this error are:
    * the user does not have proper INSERT or SELECT privileges
    * the sensor table does not exist

    If you are _absolutely_ certain that you have the proper privileges set and
    that your database structure is built properly please let me know if you
    continue to get this error. You can contact me at (roman@danyliw.com).

    Fatal Error, Quitting..


    That is the error i get: now i went into
    c:\mysql\bin
    mysql
    ---> /GRANT ALL sensor1@192.168.0.1 <---- the ip of my LAN gateway

  4. #4
    Hey guys i have re-installed everything...and that error is gone. But i here is where i am nothing is logging and i get an error at the end of this command: when i use putty to connect as root to my linux machine from my windows 2000 which im using for managment:

    192.168.0.69 is windows machine (whereim managing snort)
    192.168.0.1 is my LAN interface eth1
    eth0 is my internet interface
    snort-mysql+flexresp –v –c /etc/snort/snort.conf

    Initializing Output Plugins!
    Log directory = /var/log/snort

    Initializing Network Interface eth0 #<-----this is my INTERNET interface eth0 and eth1 is my ####################### lan interface

    --== Initializing Snort ==--
    Decoding Ethernet on interface eth0
    Initializing Preprocessors!
    Initializing Plug-ins!
    Parsing Rules file /etc/snort/snort.conf

    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains...
    http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80
    rpc_decode arguments:
    Ports to decode RPC on: 111 32771
    Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 0
    No arguments to stream4_reassemble, setting defaults:
    Reassemble client: ACTIVE
    Reassemble server: INACTIVE
    Reassemble ports: 21 23 25 53 80 143 110 111 513
    Reassembly alerts: ACTIVE
    Reassembly method: FAVOR_OLD
    Conversation Config:
    KeepStats: 0
    Conv Count: 32000
    Timeout : 60
    Alert Odd?: 0
    Allowed IP Protocols: All

    Portscan2 config:
    log: /var/log/snort/scan.log
    scanners_max: 3200
    targets_max: 5000
    target_limit: 5
    port_limit: 20
    timeout: 60
    No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl: 0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119
    ERROR spp_arpspoof /etc/snort/snort.conf(39) => Cannot initialize arpspoof_detect_host without arpspoof
    database: compiled support for ( mysql )
    database: configured to use mysql
    database: database name = snort
    database: user = sensor1
    database: host = 192.168.0.69
    database: port = 3306
    database: sensor name = Sensor1
    database: detail level = full
    database: mysql_error: Access denied for user: '@192.168.0.1' to database 'snort'
    Fatal Error, Quitting..

    How can i debug this and try to figure out what setting is worng???

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Put up your /etc/snort.conf file. Let's see it.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    #--------------------------------------------------
    # http://www.activeworx.com Snort 1.9.0 Ruleset
    # IDS Policy Manager Version: 1.3 Build(40)
    # Current Database Updated -- Feb 10, 2003 2:08 AM
    #--------------------------------------------------
    #
    ## Variables
    ## ---------
    var HOME_NET [192.168.0.0/24]
    #var HOME_NET $eth0_ADDRESS
    #var HOME_NET [10.1.1.0/24,192.168.1.0/24]
    #var HOME_NET any
    var EXTERNAL_NET any
    var DNS_SERVERS $HOME_NET
    var SMTP_SERVERS $HOME_NET
    var HTTP_SERVERS [192.168.0.1/24]
    var SQL_SERVERS $HOME_NET
    var TELNET_SERVERS $HOME_NET
    #var HTTP_PORTS 8081
    var HTTP_PORTS 80
    var SHELLCODE_PORTS !80
    var ORACLE_PORTS 1521
    var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
    var RULE_PATH /etc/snort
    #
    ## Preprocessor Support
    ## --------------------
    preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
    preprocessor rpc_decode: 111 32771
    preprocessor stream4: detect_scans, disable_evasion_alerts
    preprocessor stream4_reassemble
    #preprocessor portscan: $HOME_NET 4 3 portscan.log
    #preprocessor portscan-ignorehosts: 0.0.0.0
    preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000
    preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60
    preprocessor frag2
    preprocessor telnet_decode
    #preprocessor arpspoof
    preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
    #
    #
    ## Output Modules
    ## --------------
    output database: log, mysql, dbname=snort user=sensor1 host=192.168.0.69 port=3306 sensor_name=Sensor1 detail=full
    #output log_tcpdump: tcpdump.log
    #output xml: Log, file=/var/log/snortxml
    #output log_unified: filename snort.log, limit 128
    #
    #output alert_syslog: LOG_AUTH LOG_ALERT
    #output alert_unified: filename snort.alert, limit 128
    #output trap_snmp: alert, 7, inform -v 3 -p 999 -l authPriv -u snortUser -x DES -X "" -a SHA -A "" myTrapListener
    #
    ## Custom Rules
    ## ------------
    #ruletype suspicious
    #{
    # type log
    # output log_tcpdump: suspicious.log
    #}
    #ruletype redalert
    #{
    # type alert
    # output alert_syslog: LOG_AUTH LOG_ALERT
    # output database: log, mysql, user=snort dbname=snort host=localhost
    #}
    #
    ## Custom Lines
    ## ------------
    # output database: alert, postgresql, user=snort dbname=snort
    # output database: log, unixodbc, user=snort dbname=snort
    # output database: log, mssql, dbname=snort user=snort password=test
    #
    ## Include Files
    ## -------------
    include classification.config
    #
    include $RULE_PATH/bad-traffic.rules
    include $RULE_PATH/exploit.rules
    include $RULE_PATH/scan.rules
    include $RULE_PATH/finger.rules
    include $RULE_PATH/ftp.rules
    include $RULE_PATH/telnet.rules
    include $RULE_PATH/rpc.rules
    include $RULE_PATH/rservices.rules
    include $RULE_PATH/dos.rules
    include $RULE_PATH/ddos.rules
    include $RULE_PATH/dns.rules
    include $RULE_PATH/tftp.rules
    include $RULE_PATH/web-cgi.rules
    include $RULE_PATH/web-coldfusion.rules
    include $RULE_PATH/web-iis.rules
    include $RULE_PATH/web-frontpage.rules
    include $RULE_PATH/web-misc.rules
    include $RULE_PATH/web-client.rules
    include $RULE_PATH/web-php.rules
    include $RULE_PATH/sql.rules
    include $RULE_PATH/x11.rules
    include $RULE_PATH/icmp.rules
    include $RULE_PATH/netbios.rules
    include $RULE_PATH/misc.rules
    include $RULE_PATH/attack-responses.rules
    include $RULE_PATH/oracle.rules
    include $RULE_PATH/mysql.rules
    include $RULE_PATH/snmp.rules
    include $RULE_PATH/smtp.rules
    include $RULE_PATH/imap.rules
    include $RULE_PATH/pop3.rules
    include $RULE_PATH/pop2.rules
    include $RULE_PATH/nntp.rules
    include $RULE_PATH/other-ids.rules
    #include $RULE_PATH/web-attacks.rules
    #include $RULE_PATH/backdoor.rules
    #include $RULE_PATH/shellcode.rules
    #include $RULE_PATH/policy.rules
    #include $RULE_PATH/porn.rules
    #include $RULE_PATH/info.rules
    #include $RULE_PATH/icmp-info.rules
    #include $RULE_PATH/virus.rules
    #include $RULE_PATH/chat.rules
    #include $RULE_PATH/multimedia.rules
    #include $RULE_PATH/p2p.rules
    include $RULE_PATH/experimental.rules
    include $RULE_PATH/local.rules

    Here is my the conf file on my WINDOWS MACHINE:
    #--------------------------------------------------
    # http://www.snort.org Snort 1.9.0 Ruleset
    # Contact: snort-sigs@lists.sourceforge.net
    #--------------------------------------------------
    # NOTE:This ruleset only works for 1.9.0 and later
    #--------------------------------------------------
    # $Id: snort.conf,v 1.110 2002/08/14 03:17:58 chrisgreen Exp $
    #
    ###################################################
    # This file contains a sample snort configuration.
    # You can take the following steps to create your
    # own custom configuration:
    #
    # 1) Set the network variables for your network
    # 2) Configure preprocessors
    # 3) Configure output plugins
    # 4) Customize your rule set
    #
    ###################################################
    # Step #1: Set the network variables:
    #
    # You must change the following variables to reflect
    # your local network. The variable is currently
    # setup for an RFC 1918 address space.
    #
    # You can specify it explicitly as:
    #
    # var HOME_NET 10.1.1.0/24
    #
    # or use global variable $<interfacename>_ADDRESS
    # which will be always initialized to IP address and
    # netmask of the network interface which you run
    # snort at.
    #
    # var HOME_NET $eth0_ADDRESS
    #
    # You can specify lists of IP addresses for HOME_NET
    # by separating the IPs with commas like this:
    #
    # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
    #
    # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
    #
    # or you can specify the variable to be any IP address
    # like this:

    var HOME_NET any

    # Set up the external network addresses as well.
    # A good start may be "any"

    var EXTERNAL_NET any

    # Configure your server lists. This allows snort to only look for attacks
    # to systems that have a service up. Why look for HTTP attacks if you are
    # not running a web server? This allows quick filtering based on IP addresses
    # These configurations MUST follow the same configuration scheme as defined
    # above for $HOME_NET.

    # List of DNS servers on your network
    var DNS_SERVERS $HOME_NET

    # List of SMTP servers on your network
    var SMTP_SERVERS $HOME_NET

    # List of web servers on your network
    var HTTP_SERVERS $HOME_NET

    # List of sql servers on your network
    var SQL_SERVERS $HOME_NET

    # List of telnet servers on your network
    var TELNET_SERVERS $HOME_NET

    # Configure your service ports. This allows snort to look for attacks
    # destined to a specific application only on the ports that application
    # runs on. For example, if you run a web server on port 8081, set your
    # HTTP_PORTS variable like this:
    #
    # var HTTP_PORTS 8081
    #
    # Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
    # We will adding support for a real list of ports in the future.

    # Ports you run web servers on
    var HTTP_PORTS 80

    # Ports you want to look for SHELLCODE on.
    var SHELLCODE_PORTS !80

    # Ports you do oracle attacks on
    var ORACLE_PORTS 1521

    # other variables
    #
    # AIM servers. AOL has a habit of adding new AIM servers, so instead of
    # modifying the signatures when they do, we add them to this list of
    # servers.
    var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

    # Path to your rules files (this can be a relative path)
    var RULE_PATH ../rules

    ###################################################
    # Step #2: Configure preprocessors
    #
    # General configuration for preprocessors is of
    # the form
    # preprocessor <name_of_processor>: <configuration_options>

    # frag2: IP defragmentation support
    # -------------------------------
    # This preprocessor performs IP defragmentation. This plugin will also detect
    # people launching fragmentation attacks (usually DoS) against hosts. No
    # arguments loads the default configuration of the preprocessor, which is a
    # 60 second timeout and a 4MB fragment buffer.

    # The following (comma delimited) options are available for frag2
    # timeout [seconds] - sets the number of [seconds] than an unfinished
    # fragment will be kept around waiting for completion,
    # if this time expires the fragment will be flushed
    # memcap [bytes] - limit frag2 memory usage to [number] bytes
    # (default: 4194304)
    #
    # min_ttl [number] - minimum ttl to accept
    #
    # ttl_limit [number] - difference of ttl to accept without alerting
    # will cause false positves with router flap
    #
    # Frag2 uses Generator ID 113 and uses the following SIDS
    # for that GID:
    # SID Event description
    # ----- -------------------
    # 1 Oversized fragment (reassembled frag > 64k bytes)
    # 2 Teardrop-type attack

    preprocessor frag2

    # stream4: stateful inspection/stream reassembly for Snort
    #----------------------------------------------------------------------
    # Use in concert with the -z [all|est] command line switch to defeat
    # stick/snot against TCP rules. Also performs full TCP stream
    # reassembly, stateful inspection of TCP streams, etc. Can statefully
    # detect various portscan types, fingerprinting, ECN, etc.

    # stateful inspection directive
    # no arguments loads the defaults (timeout 30, memcap 8388608)
    # options (options are comma delimited):
    # detect_scans - stream4 will detect stealth portscans and generate alerts
    # when it sees them when this option is set
    # detect_state_problems - detect TCP state problems, this tends to be very
    # noisy because there are a lot of crappy ip stack
    # implementations out there
    #
    # disable_evasion_alerts - turn off the possibly noisy mitigation of
    # overlapping sequences.
    #
    #
    # min_ttl [number] - set a minium ttl that snort will accept to
    # stream reassembly
    #
    # ttl_limit [number] - differential of the initial ttl on a session versus
    # the normal that someone may be playing games.
    # Routing flap may cause lots of false positives.
    #
    # keepstats [machine|binary] - keep session statistics, add "machine" to
    # get them in a flat format for machine reading, add
    # "binary" to get them in a unified binary output
    # format
    # noinspect - turn off stateful inspection only
    # timeout [number] - set the session timeout counter to [number] seconds,
    # default is 30 seconds
    # memcap [number] - limit stream4 memory usage to [number] bytes
    # log_flushed_streams - if an event is detected on a stream this option will
    # cause all packets that are stored in the stream4
    # packet buffers to be flushed to disk. This only
    # works when logging in pcap mode!
    #
    # Stream4 uses Generator ID 111 and uses the following SIDS
    # for that GID:
    # SID Event description
    # ----- -------------------
    # 1 Stealth activity
    # 2 Evasive RST packet
    # 3 Evasive TCP packet retransmission
    # 4 TCP Window violation
    # 5 Data on SYN packet
    # 6 Stealth scan: full XMAS
    # 7 Stealth scan: SYN-ACK-PSH-URG
    # 8 Stealth scan: FIN scan
    # 9 Stealth scan: NULL scan
    # 10 Stealth scan: NMAP XMAS scan
    # 11 Stealth scan: Vecna scan
    # 12 Stealth scan: NMAP fingerprint scan stateful detect
    # 13 Stealth scan: SYN-FIN scan
    # 14 TCP forward overlap

    preprocessor stream4: detect_scans, disable_evasion_alerts

    # tcp stream reassembly directive
    # no arguments loads the default configuration
    # Only reassemble the client,
    # Only reassemble the default list of ports (See below),
    # Give alerts for "bad" streams
    #
    # Available options (comma delimited):
    # clientonly - reassemble traffic for the client side of a connection only
    # serveronly - reassemble traffic for the server side of a connection only
    # both - reassemble both sides of a session
    # noalerts - turn off alerts from the stream reassembly stage of stream4
    # ports [list] - use the space separated list of ports in [list], "all"
    # will turn on reassembly for all ports, "default" will turn
    # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
    # and 513

    preprocessor stream4_reassemble

    # http_decode: normalize HTTP requests
    # ------------------------------------
    # http_decode normalizes HTTP requests from remote
    # machines by converting any %XX character
    # substitutions to their ASCII equivalent. This is
    # very useful for doing things like defeating hostile
    # attackers trying to stealth themselves from IDSs by
    # mixing these substitutions in with the request.
    # Specify the port numbers you want it to analyze as arguments.
    #
    # Major code cleanups thanks to rfp
    #
    # unicode - normalize unicode
    # iis_alt_unicode - %u encoding from iis
    # double_encode - alert on possible double encodings
    # iis_flip_slash - normalize \ as /
    # full_whitespace - treat \t as whitespace ( for apache )
    #
    # for that GID:
    # SID Event description
    # ----- -------------------
    # 1 UNICODE attack
    # 2 NULL byte attack

    preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace

    # rpc_decode: normalize RPC traffic
    # ---------------------------------
    # RPC may be sent in alternate encodings besides the usual
    # 4-byte encoding that is used by default. This preprocessor
    # normalized RPC traffic in much the same way as the http_decode
    # preprocessor. This plugin takes the ports numbers that RPC
    # services are running on as arguments.
    # The RPC decode preprocessor uses generator ID 106 and does not
    # generate any SIDs at this time.

    preprocessor rpc_decode: 111 32771

    # bo: Back Orifice detector
    # -------------------------
    # Detects Back Orifice traffic on the network. This preprocessor
    # uses the Back Orifice "encryption" algorithm to search for
    # traffic conforming to the Back Orifice protocol (not BO2K).
    # This preprocessor can take two arguments. The first is "-nobrute"
    # which turns off the plugin's brute forcing routine (brute forces
    # the key space of the protocol to find BO traffic). The second
    # argument that can be passed to the routine is a number to use
    # as the default key when trying to decrypt the traffic. The
    # default value is 31337 (just like BO). Be aware that turning on
    # the brute forcing option runs the risk of impacting the overall
    # performance of Snort, you've been warned...
    #
    # The Back Orifice detector uses Generator ID 105 and uses the
    # following SIDS for that GID:
    # SID Event description
    # ----- -------------------
    # 1 Back Orifice traffic detected

    preprocessor bo: -nobrute

    # telnet_decode: Telnet negotiation string normalizer
    # ---------------------------------------------------
    # This preprocessor "normalizes" telnet negotiation strings from
    # telnet and ftp traffic. It works in much the same way as the
    # http_decode preprocessor, searching for traffic that breaks up
    # the normal data stream of a protocol and replacing it with
    # a normalized representation of that traffic so that the "content"
    # pattern matching keyword can work without requiring modifications.
    # This preprocessor requires no arguments.
    # Portscan uses Generator ID 109 and does not generate any SID currently.

    preprocessor telnet_decode

    # Portscan: detect a variety of portscans
    # ---------------------------------------
    # portscan preprocessor by Patrick Mullen <p_mullen@linuxrc.net>
    # This preprocessor detects UDP packets or TCP SYN packets going to
    # four different ports in less than three seconds. "Stealth" TCP
    # packets are always detected, regardless of these settings.
    # Portscan uses Generator ID 100 and uses the following SIDS for that GID:
    # SID Event description
    # ----- -------------------
    # 1 Portscan detect
    # 2 Inter-scan info
    # 3 Portscan End

    # preprocessor portscan: $HOME_NET 4 3 portscan.log

    # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
    # specific networks or hosts to reduce false alerts. It is typical
    # to see many false alerts from DNS servers so you may want to
    # add your DNS servers here. You can all multiple hosts/networks
    # in a whitespace-delimited list.
    #
    #preprocessor portscan-ignorehosts: 0.0.0.0

    # arpspoof
    #----------------------------------------
    # Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
    # unicast ARP requests, and specific ARP mapping monitoring. To make use
    # of this preprocessor you must specify the IP and hardware address of hosts on # the same layer 2 segment as you. Specify one host IP MAC combo per line.
    # Also takes a "-unicast" option to turn on unicast ARP request detection.
    # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
    # SID Event description
    # ----- -------------------
    # 1 Unicast ARP request
    # 2 Etherframe ARP mismatch (src)
    # 3 Etherframe ARP mismatch (dst)
    # 4 ARP cache overwrite attack

    #preprocessor arpspoof
    #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

    # ASN1 Decode
    #-----------------------------------------
    # This is an experimental preprocessor. ASN.1 decoder and analysis plugin
    # from Andrew R. Baker. This preprocessor will detect abuses of the ASN.1
    # protocol that higher level protocols (like SSL, SNMP, x.509, etc) rely on.
    # The ASN.1 decoder uses Generator ID 115 and uses the following SIDs for
    # that GID:
    # SID Event description
    # ----- -------------------
    # 1 Indefinite length
    # 2 Invalid length
    # 3 Oversized item
    # 4 ASN.1 specification violation
    # 5 Dataum bad length

    preprocessor asn1_decode

    # Fnord
    #-----------------------------------------
    # This is an experimental preprocessor. Polymorphic shellcode analyzer and
    # detector by Dragos Ruiu. This preprocessor will watch traffic for
    # polymorphic NOP-type sleds to defeat tools like ADMutate. The Fnord detector
    # uses Generator ID 114 and the following SIDs:
    # SID Event description
    # ----- -------------------
    # 1 NOP-sled detected

    # preprocessor fnord

    # Conversation
    #------------------------------------------
    # This preprocessor tracks conversations for tcp, udp and icmp traffic. It
    # is a prerequisite for running portscan2.
    #
    # allowed_ip_protcols 1 6 17
    # list of allowed ip protcols ( defaults to any )
    #
    # timeout [num]
    # conversation timeout ( defaults to 60 )
    #
    #
    # max_conversations [num]
    # number of conversations to support at once (defaults to 65335)
    #
    #
    # alert_odd_protocols
    # alert on protocols not listed in allowed_ip_protocols

    preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000

    # Portscan2
    #-------------------------------------------
    # Portscan 2, detect portscans in a new and exciting way.
    #
    # Available options:
    # scanners_max [num]
    # targets_max [num]
    # target_limit [num]
    # port_limit [num]
    # timeout [num]
    # log [logdir]

    preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60

    # Experimental Perf stats
    # -----------------------
    # No docs. Highly subject to change.
    #
    # preprocessor perfmonitor: console flow events time 10

    ####################################################################
    # Step #3: Configure output plugins
    #
    # Uncomment and configure the output plugins you decide to use.
    # General configuration for output plugins is of the form:
    #
    # output <name_of_plugin>: <configuration_options>
    #
    # alert_syslog: log alerts to syslog
    # ----------------------------------
    # Use one or more syslog facilities as arguments
    #
    # output alert_syslog: LOG_AUTH LOG_ALERT

    # log_tcpdump: log packets in binary tcpdump format
    # -------------------------------------------------
    # The only argument is the output file name.
    #
    # output log_tcpdump: tcpdump.log

    # database: log to a variety of databases
    # ---------------------------------------
    # See the README.database file for more information about configuring
    # and using this plugin.
    #
    # output database: log, mysql, user=root password=test dbname=db host=localhost
    # output database: alert, postgresql, user=snort dbname=snort
    # output database: log, unixodbc, user=snort dbname=snort
    # output database: log, mssql, dbname=snort user=snort password=test

    # xml: xml logging
    # ----------------
    # See the README.xml file for more information about configuring
    # and using this plugin.
    #
    # output xml: log, file=/var/log/snortxml

    # unified: Snort unified binary format alerting and logging
    # -------------------------------------------------------------
    # The unified output plugin provides two new formats for logging
    # and generating alerts from Snort, the "unified" format. The
    # unified format is a straight binary format for logging data
    # out of Snort that is designed to be fast and efficient. Used
    # with barnyard (the new alert/log processor), most of the overhead
    # for logging and alerting to various slow storage mechanisms
    # such as databases or the network can now be avoided.
    #
    # Check out the spo_unified.h file for the data formats.
    #
    # Two arguments are supported.
    # filename - base filename to write to (current time_t is appended)
    # limit - maximum size of spool file in MB (default: 128)
    #
    # output alert_unified: filename snort.alert, limit 128
    # output log_unified: filename snort.log, limit 128

    # trap_snmp: SNMP alerting for Snort
    # -------------------------------------------------------------
    # Read the README.SNMP file for more information on enabling and using this
    # plug-in.
    #
    #

    #The trap_snmp plugin accepts the following notification options
    # [c],[p[m|s]]
    # where,
    # c : Generate compact notifications. (Saves on bandwidth by
    # not reporting MOs for which values are unknown, not
    # available or, not applicable). By default this option is reset.
    # p : Generate a print of the invariant part of the offending packet.
    # This can be used to track the packet across the Internet.
    # By default this option is reset.
    # m : Use the MD5 algorithm to generate the packet print.
    # By default this algorithm is used.
    # s : Use the SHA1 algorithm to generate the packet print.
    #
    # The trap_snmp plugin requires several parameters
    # The parameters depend on the Snmpversion that is used (specified)
    # For the SNMPv2c case the parameters will be as follows
    # alert, <sensorID>, [NotificationOptions] ,
    # {trap|inform} -v <SnmpVersion> -p <portNumber> <hostName> <community>
    #
    # For SNMPv2c traps with MD5 digest based packetPrint generation
    #
    # output trap_snmp: alert, 7, cpm, trap -v 2c myTrapListener myCommunity
    #
    # For SNMPv2c informs with the 'compact' notification option
    #
    #output trap_snmp: alert, 7, c, inform -v 2c myTrapListener myCommunity
    #
    #
    # For SNMPv3 traps with
    # security name = snortUser
    # security level = authentication and privacy
    # authentication parameters :
    # authentication protocol = SHA ,
    # authentication pass phrase = SnortAuthPassword
    # privacy (encryption) parameters
    # privacy protocol = DES,
    # privacy pass phrase = SnortPrivPassword
    #
    #output trap_snmp: alert, 7, trap -v 3 -u snortUser -l authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener
    #For SNMPv3 informs with authentication and encryption
    #output trap_snmp: alert, 7, inform -v 3 -u snortUser -l authPriv -a SHA -A SnortAuthPassword -x DES -X SnortPrivPassword myTrapListener

    # You can optionally define new rule types and associate one or
    # more output plugins specifically to that type.
    #
    # This example will create a type that will log to just tcpdump.
    # ruletype suspicious
    # {
    # type log
    # output log_tcpdump: suspicious.log
    # }
    #
    # EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
    # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server"
    #
    # This example will create a rule type that will log to syslog
    # and a mysql database.
    # ruletype redalert
    # {
    # type alert
    # output alert_syslog: LOG_AUTH LOG_ALERT
    # output database: log, mysql, user=snort dbname=snort host=localhost
    # }
    #
    # EXAMPLE RULE FOR REDALERT RULETYPE
    # redalert $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"Someone is being LEET"; \
    # flags:A+

    #
    # Include classification & priority settings
    #

    include classification.config

    #
    # Include reference systems
    #

    include reference.config

    ####################################################################
    # Step #4: Customize your rule set
    #
    # Up to date snort rules are available at http://www.snort.org
    #
    # The snort web site has documentation about how to write your own
    # custom snort rules.
    #
    # The rules included with this distribution generate alerts based on
    # on suspicious activity. Depending on your network environment, your
    # security policies, and what you consider to be suspicious, some of
    # these rules may either generate false positives ore may be detecting
    # activity you consider to be acceptable; therefore, you are
    # encouraged to comment out rules that are not applicable in your
    # environment.
    #
    # Note that using all of the rules at the same time may lead to
    # serious packet loss on slower machines. YMMV, use with caution,
    # standard disclaimers apply.
    #
    # The following individuals contributed many of rules in this
    # distribution.
    #
    # Credits:
    # Ron Gula <rgula@securitywizards.com> of Network Security Wizards
    # Max Vision <vision@whitehats.com>
    # Martin Markgraf <martin@mail.du.gtn.com>
    # Fyodor Yarochkin <fygrave@tigerteam.net>
    # Nick Rogness <nick@rapidnet.com>
    # Jim Forster <jforster@rapidnet.com>
    # Scott McIntyre <scott@whoi.edu>
    # Tom Vandepoel <Tom.Vandepoel@ubizen.com>
    # Brian Caswell <bmc@snort.org>
    # Zeno <admin@cgisecurity.com>
    # Ryan Russell <ryan@securityfocus.com>
    #
    #=========================================
    # Include all relevant rulesets here
    #
    # shellcode, policy, info, backdoor, and virus rulesets are
    # disabled by default. These require tuning and maintance.
    # Please read the included specific file for more information.
    #=========================================

    include $RULE_PATH/bad-traffic.rules
    include $RULE_PATH/exploit.rules
    include $RULE_PATH/scan.rules
    include $RULE_PATH/finger.rules
    include $RULE_PATH/ftp.rules
    include $RULE_PATH/telnet.rules
    include $RULE_PATH/rpc.rules
    include $RULE_PATH/rservices.rules
    include $RULE_PATH/dos.rules
    include $RULE_PATH/ddos.rules
    include $RULE_PATH/dns.rules
    include $RULE_PATH/tftp.rules

    include $RULE_PATH/web-cgi.rules
    include $RULE_PATH/web-coldfusion.rules
    include $RULE_PATH/web-iis.rules
    include $RULE_PATH/web-frontpage.rules
    include $RULE_PATH/web-misc.rules
    include $RULE_PATH/web-client.rules
    include $RULE_PATH/web-php.rules

    include $RULE_PATH/sql.rules
    include $RULE_PATH/x11.rules
    include $RULE_PATH/icmp.rules
    include $RULE_PATH/netbios.rules
    include $RULE_PATH/misc.rules
    include $RULE_PATH/attack-responses.rules
    include $RULE_PATH/oracle.rules
    include $RULE_PATH/mysql.rules
    include $RULE_PATH/snmp.rules

    include $RULE_PATH/smtp.rules
    include $RULE_PATH/imap.rules
    include $RULE_PATH/pop3.rules

    include $RULE_PATH/nntp.rules
    include $RULE_PATH/other-ids.rules
    # include $RULE_PATH/web-attacks.rules
    # include $RULE_PATH/backdoor.rules
    # include $RULE_PATH/shellcode.rules
    # include $RULE_PATH/policy.rules
    # include $RULE_PATH/porn.rules
    # include $RULE_PATH/info.rules
    # include $RULE_PATH/icmp-info.rules
    # include $RULE_PATH/virus.rules
    # include $RULE_PATH/chat.rules
    # include $RULE_PATH/multimedia.rules
    # include $RULE_PATH/p2p.rules
    include $RULE_PATH/experimental.rules
    include $RULE_PATH/local.rules

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Couple of things. This line:

    output database: log, mysql, dbname=snort user=sensor1 host=192.168.0.69 port=3306 sensor_name=Sensor1 detail=full
    Should have password=yoursnortpassword

    That's probably the error your getting.

    Second, the lines that say INCLUDE $RULE_PATH should be changed to the relative or absolute path of your rules. The variable doesn't seem to work that well I've found. So if your rules are in a seperate directory in etc it should be changed to INCLUDE rules/rulename.rules
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Snort Passwrd i dont think i have set a password on snort...

    Do i just use the root password on the linux machine .

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    No. Set the password. You don't want your box taken over or the files on your sql database removed. Sorta defeats the purpose of using it, eh?

    Take a look at the AONewsletter #6. I talked about how to setup your snort box, including passwords.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #10
    mysql> update user set password=password ‘test’ where user=’192.168.0.1’;
    mysql> flush privileges;


    See i think im a lil mixed up is that the correct user name or is it sensor1 or snort???

    set password for snort@192.168.0.1=password ‘test’;

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •