Creating Extra Tables Step 5: Creating Tables in the Snort Database
5.1.7 Step 7: Starting Snort with Database Support
When you start Snort after database configuration, the starting message shows what database is being used. The boldface lines show database related information. [rootlaptop] optsnortbinsnort -c etcsnortsnort.conf Log directory = varlogsnort Initializing Network Interface eth0 --== Initializing Snort ==-- Decoding Ethernet on interface eth0 Initializing Preprocessors Initializing Plug-ins Initializing Output Plugins Parsing Rules file etcsnortsnort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Reassembly method: FAVOR_OLD 172 Chapter 5 • Using Snort with MySQL Back Orifice detection brute force: DISABLED Using LOCAL time database: compiled support for mysql database: configured to use mysql database: user = rr database: database name = snort database: host = localhost database: sensor name = 10.100.1.111 database: sensor id = 1 database: schema version = 105 database: using the log facility 886 Snort rules read... 886 Option Chains linked into 99 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Rule application order: -activation-dynamic-alert-pass- log --== Initialization Complete ==-- - Snort - Version 1.8.6 Build 105 By Martin Roesch roeschsourcefire.com, www.snort.org The name of the database, the name of user and the host where the database is installed are all listed in the output. The schema version is saved in the schema table in MySQL database.5.1.8 Step 8: Logging to Database
After configuring the database properly, you should check if log and alert mes- sages are being saved in the database tables. We use the following two rules for Snort to test the database. alert ip any any - any any ipopts: lsrr; msg: \ LSRR Options set; logto: test; alert icmp any any - 192.168.1.024 any fragbits: D; \ msg: Dont Fragment bit set; To test these rules, we use the following two commands on a Microsoft Windows machine. I have used Windows XP Home Edition for the sake of experiment. ping -n 1 -f 192.168.1.2 ping -n 1 -j 192.168.1.2 192.168.1.2Parts
» Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Logs False Alarms Some Definitions
» Where IDS Should be Placed in Network Topology
» Honey Pots What is Intrusion Detection?
» Security Zones and Levels of Trust
» IDS Policy Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Packet Decoder Preprocessors Components of Snort
» The Detection Engine Components of Snort
» Dealing with Switches Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» TCP Stream Follow Up Supported Platforms
» Snort on Stealth Interface Snort with no IP Address Interface
» References Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Test Installation Snort Installation Scenarios
» Single Sensor Production IDS
» Multiple Snort Sensors with Centralized Database
» Download Install Installing Snort from the RPM Package
» Unpacking Installing Snort from Source Code
» Running the configure script. Running the
» Running the make install command.
» Create or copy the Snort configuration file in
» Create a directory After Installation Processes
» Generating Test Alerts Testing Snort
» Generating Test Alerts with Automatic Snort Startup
» Errors While Starting Snort Running Snort on a Non-Default Interface
» Automatic Startup and Shutdown
» Running Snort on Multiple Network Interfaces
» Logging Snort Data in Text Format
» Logging Snort in Binary Format
» Network Intrusion Detection Mode
» UNIX Socket Mode Snort Alert Modes
» Running Snort in Stealth Mode
» TCPIP Network Layers Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» CIDR Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» User Defined Actions Rule Actions
» Well-Known Port Numbers Port Number
» The ack Keyword The classtype Keyword
» The content Keyword Rule Options
» The offset Keyword Rule Options
» The depth Keyword The content-list Keyword
» The dsize Keyword Rule Options
» The flags Keyword Rule Options
» The fragbits Keyword Rule Options
» The itype Keyword Rule Options
» The icode Keyword Rule Options
» The id Keyword The ipopts Keyword
» The logto Keyword Rule Options
» The reference Keyword Rule Options
» The resp Keyword Rule Options
» The rev Keyword The rpc Keyword
» The session Keyword Rule Options
» The sid Keyword Rule Options
» The tag Keyword Rule Options
» The tos Keyword Rule Options
» The ttl Keyword Rule Options
» The uricontent Keyword Rule Options
» Using a List of Networks in Variables Using Interface Names in Variables
» The config Directives The Snort Configuration File
» Preprocessor Configuration Output Module Configuration
» Include Files The Snort Configuration File
» Order of Rules Based upon Action
» The Simple Method Automatically Updating Snort Rules
» The Sophisticated and Complex Method
» Writing Good Rules Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» The frag2 Module Preprocessors
» The stream4 Module Preprocessors
» The spade Module Preprocessors
» The alert_syslog Output Module
» The alert_smb Module The log_tcpdump Output Module
» Examples The XML Output Module
» Logging to Databases Output Modules
» CSV Output Module Output Modules
» Unified Logging Output Module SNMP Traps Output Module
» Using BPF Fileters Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Creating Extra Tables Step 5: Creating Tables in the Snort Database
» Secure Logging to Remote Databases Securely Using Stunnel
» Archiving the Database Snort Database Maintenance
» Using Sledge Hammer: Drop the Database
» What is ACID? Installation and Configuration
» Listing Protocol Data Alert Details Searching
» Generating Graphs Archiving Snort Data
» SnortSnarf Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Barnyard References Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» SnortSam Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» IDS Policy Manager Prentice.Hall – Intrusion.Detection.Systems.with.Snort
Show more