Bug#526511: snort-mysql: Snort does not log to mysql db
Javier Fernández-Sanguino Peña wrote: On Fri, May 01, 2009 at 12:12:09PM -0400, Jeff Green wrote: The output database plugin is configured. If snort is started on the command line, not as a daemon and with /etc/snort/snort.conf as the config file, then the console messages indicate that the database plugin is invoked. However if starting from /etc/init.d/snort startup file, then there is no indication of the database plugin being seen, regardless of its daemon status. The is no indication that the connect has failed because of credentials or privileges. When starting from /etc/init.d all snort messages are logged in syslog. Could you please review your /var/log/messages* files to see if you can find the Snort messages? Please send me any messages you see there that might be relevant to this issue. The time that snort was seemingly connecting to the db had the below in its console output: [...snip...] DNS config: DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 +++ Initializing rule chains... 3407 Snort rules read 3407 detection rules 0 decoder rules 0 preprocessor rules 3407 Option Chains linked into 285 Chain Headers 0 Dynamic rules +++ Verifying Preprocessor Configurations! Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. Warning: flowbits key 'realplayer.playlist' is checked but not ever set. Warning: flowbits key 'community_uri.size.1050' is set but not ever checked. Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked. 37 out of 512 flowbits in use. Initializing Network Interface eth0 Decoding Ethernet on interface eth0 database: compiled support for ( mysql ) database: configured to use mysql database: user = snort database: password is set database: database name = snort database: host = 192.168.2.7 database: sensor name = 68.114.59.137 database: sensor id = 3 database: schema version = 107 database: using the log facility [...snip...] While the times that showed no db connect had the following: [...snip...] DNS config: DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 +++ Initializing rule chains... 3407 Snort rules read 3407 detection rules 0 decoder rules 0 preprocessor rules 3407 Option Chains linked into 285 Chain Headers 0 Dynamic rules +++ Verifying Preprocessor Configurations! Warning: flowbits key 'community_uri.size.1050' is set but not ever checked. Warning: flowbits key 'realplayer.playlist' is checked but not ever set. Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked. 37 out of 512 flowbits in use. Initializing Network Interface eth0 Decoding Ethernet on interface eth0 Preprocessor/Decoder Rule Count: 0 +--[Pattern Matcher:Aho-Corasick Summary]-- [...snip...] Same output in log files (which I had looked in). regards, -jeff -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#526511: snort-mysql: Snort does not log to mysql db
Javier Fernández-Sanguino Peña wrote: Please send me any messages you see there that might be relevant to this issue. Sorry. Forgot to provide the command I used on the case where the db did show: snort -m 027 -i eth0 -c /etc/snort/snort.conf -S 'HOME_NET=192.168.2.0/24' -jeff -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#526511: snort-mysql: Snort does not log to mysql db
Jeffrey B. Green wrote: Javier Fernández-Sanguino Peña wrote: Please send me any messages you see there that might be relevant to this issue. ACIDBASE indicates that snort stopped providing alerts on May 3rd, last alert at 8:57:38 2009-05-03. The syslog has this entry: May 3 09:10:04 argonath kernel: [1615275.141933] snort[30587]: segfault at 354 ip 080 69550 sp bfd1e690 error 6 in snort[8048000+8d000] There are no snort entries prior to that time to the beginning of that log (May 3 02:53:32). -jeff -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#526511: snort-mysql: Snort does not log to mysql db
On Fri, May 01, 2009 at 12:12:09PM -0400, Jeff Green wrote: The output database plugin is configured. If snort is started on the command line, not as a daemon and with /etc/snort/snort.conf as the config file, then the console messages indicate that the database plugin is invoked. However if starting from /etc/init.d/snort startup file, then there is no indication of the database plugin being seen, regardless of its daemon status. The is no indication that the connect has failed because of credentials or privileges. When starting from /etc/init.d all snort messages are logged in syslog. Could you please review your /var/log/messages* files to see if you can find the Snort messages? Please send me any messages you see there that might be relevant to this issue. One interesting but possibly irrelevant item is if I go into mysql (on the db server), then the describe table for snort.schema gives an error, e.g. That is just because 'schema' is a reserved word in MySQL and you have to quote it or otherwise you get a syntax error. Regards Javier signature.asc Description: Digital signature
Bug#526511: snort-mysql: Snort does not log to mysql db
Package: snort-mysql Version: 2.7.0-20.4 Severity: normal Everything work okay before the upgrade to lenny. The output database plugin is configured. If snort is started on the command line, not as a daemon and with /etc/snort/snort.conf as the config file, then the console messages indicate that the database plugin is invoked. However if starting from /etc/init.d/snort startup file, then there is no indication of the database plugin being seen, regardless of its daemon status. The is no indication that the connect has failed because of credentials or privileges. One interesting but possibly irrelevant item is if I go into mysql (on the db server), then the describe table for snort.schema gives an error, e.g. mysql use snort; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql show tables; +--+ | Tables_in_snort | +--+ | acid_ag | | acid_ag_alert| | acid_event | | acid_ip_cache| | base_roles | | base_users | | data | | detail | | encoding | | event| | icmphdr | | iphdr| | opt | | reference| | reference_system | | schema | | sensor | | sig_class| | sig_reference| | signature| | tcphdr | | udphdr | +--+ 22 rows in set (0.00 sec) mysql describe schema; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'schema' at line 1 mysql describe sensor; +---+--+--+-+-++ | Field | Type | Null | Key | Default | Extra | +---+--+--+-+-++ | sid | int(10) unsigned | NO | PRI | NULL| auto_increment | | hostname | text | YES | | NULL|| | interface | text | YES | | NULL|| | filter| text | YES | | NULL|| | detail| tinyint(4) | YES | | NULL|| | encoding | tinyint(4) | YES | | NULL|| | last_cid | int(10) unsigned | NO | | 0 || +---+--+--+-+-++ 7 rows in set (0.00 sec) mysql show table status like 'schema'; +++-++--++-+-+--+---++-+-+-+---+--++-+ | Name | Engine | Version | Row_format | Rows | Avg_row_length | Data_length | Max_data_length | Index_length | Data_free | Auto_increment | Create_time | Update_time | Check_time | Collation | Checksum | Create_options | Comment | +++-++--++-+-+--+---++-+-+-+---+--++-+ | schema | MyISAM | 9 | Fixed |1 | 13 | 13 | 55834574847 | 2048 | 0 | NULL | 2007-01-15 20:09:13 | 2009-03-21 14:39:26 | 2009-05-01 09:54:28 | latin1_swedish_ci | NULL || | +++-++--++-+-+--+---++-+-+-+---+--++-+ 1 row in set (0.01 sec) mysql quit The mysql server version(s) are: ii libdbd-mysql-pe 4.007-1 A Perl5 database interface to the MySQL data ii libmysqlclient1 3.23.56-3 LGPL-licensed client library for MySQL datab ii libmysqlclient1 4.0.24-10sarge2 mysql database client library ii libmysqlclient1 4.1.11a-4sarge7 mysql database client library ii libmysqlclient1 5.0.51a-24+lenn MySQL database client library ii mysql-client-5. 5.0.51a-24+lenn MySQL database client binaries ii mysql-common5.0.51a-24+lenn MySQL database common files ii mysql-server-5. 5.0.51a-24+lenn MySQL database server binaries ii php5-mysql 5.2.6.dfsg.1-1+ MySQL module for php5 ii postfix-mysql 2.5.5-1.1 MySQL map support for Postfix -- System Information: Debian Release: 5.0.1 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages snort-mysql depends on: ii adduser
Bug#526511: snort-mysql: Snort does not log to mysql db
Everything work okay before the upgrade to lenny. The db was receiving alerts after the upgrade and in particular it was receiving alerts up until 26 April. The events stop there in the acidbase listings. ...still exploring. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#526511: snort-mysql: Snort does not log to mysql db
Everything work okay before the upgrade to lenny. The db was receiving alerts after the upgrade and in particular it was receiving alerts up until 26 April. The events stop there in the acidbase listings. Alerts have started being logged again to the database. They only active thing that I did was mysql connect from the firewall to the db server as the snort user and also connect to the database from the database server as the snort user. In both connects I tried to retrieve the last cid from the data table. The request did not return anything, it hung in a way, i.e. no return. Go figure. -jeff -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
