Home page logo
/

snort logo Snort mailing list archives

Re: MySQL support for Snort 2.9.4
From: Kaya Saman <kayasaman () gmail com>
Date: Tue, 11 Dec 2012 02:24:14 +0000

On 12/11/2012 02:16 AM, Michael Steele wrote:
Is there any chance that all the rules that are available have the to the
public have the snort.conf replaced with correct versions that don't have
the output database included as an option.

As an example the Registered Users Release of the rules labeled
snortrules-snapshot-2931.tar.gz still has a reference in the snort.conf to
the output database option. Might be a thought to go back to any of the
rules that are available to the public that reference a version of Snort
that doesn't support the output database and update the snort.conf to not
reference it. Just a thought...

Best regards,
Michael...

I disabled that option:

# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, 
mpls_event_types, vlan_event_types
output unified2: filename snort.u2, limit 128

# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp

# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

# database
# output database: alert, <db_type>, user=<username> password=<password> 
test dbname=<name> host=<hostname>
# output database: log, <db_type>, user=<username> password=<password> 
test dbname=<name> host=<hostname>
t

# prelude
# output alert_prelude

# metadata reference data.  do not modify these lines
include classification.config
include reference.config


I got the unified2 code from here: 
http://www.securixlive.com/barnyard2/faq.php


It also seems that I do have preprocessor modules:

# ls
libsf_dce2_preproc.a libsf_ftptelnet_preproc.a 
libsf_pop_preproc.a                  libsf_smtp_preproc.a
libsf_dce2_preproc.la libsf_ftptelnet_preproc.la 
libsf_pop_preproc.la                 libsf_smtp_preproc.la
libsf_dce2_preproc.so libsf_ftptelnet_preproc.so 
libsf_pop_preproc.so.0.0             libsf_smtp_preproc.so
libsf_dce2_preproc.so.0.0 libsf_ftptelnet_preproc.so.0.0 
libsf_reputation_preproc.a           libsf_smtp_preproc.so.0.0
libsf_dcerpc_preproc.a libsf_gtp_preproc.a 
libsf_reputation_preproc.la          libsf_ssh_preproc.a
libsf_dcerpc_preproc.so libsf_gtp_preproc.la 
libsf_reputation_preproc.so.0.0      libsf_ssh_preproc.la
libsf_dnp3_preproc.a libsf_gtp_preproc.so.0.0 
libsf_sdf_preproc.a                  libsf_ssh_preproc.so
libsf_dnp3_preproc.la libsf_imap_preproc.a 
libsf_sdf_preproc.la                 libsf_ssh_preproc.so.0.0
libsf_dnp3_preproc.so.0.0 libsf_imap_preproc.la 
libsf_sdf_preproc.so                 libsf_ssl_preproc.a
libsf_dns_preproc.a libsf_imap_preproc.so.0.0 
libsf_sdf_preproc.so.0.0             libsf_ssl_preproc.la
libsf_dns_preproc.la libsf_modbus_preproc.a 
libsf_sip_preproc.a                  libsf_ssl_preproc.so
libsf_dns_preproc.so libsf_modbus_preproc.la 
libsf_sip_preproc.la                 libsf_ssl_preproc.so.0.0
libsf_dns_preproc.so.0.0 libsf_modbus_preproc.so.0.0          
libsf_sip_preproc.so.0.0


So that shouldn't be an issue.


Everything looks correct, unless it's something to do with compile and 
my architecture? - though it shouldn't I'm guessing....


-----Original Message-----
From: Jeremy Hoel [mailto:jthoel () gmail com]
Sent: Monday, December 10, 2012 7:48 PM
To: Kaya Saman
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] MySQL support for Snort 2.9.4

Database support has been removed from snort.  Use the unified2 output and
Barnyard2 to put data into a databse.


On Tue, Dec 11, 2012 at 12:15 AM, Kaya Saman <kayasaman () gmail com> wrote:
Hi,

I've installed Daq 2.0 and Snort 2.9.4 however, I'm confused about the
MySQL support.

Initially running ./configure --help didn't yield any option for
support: --enable-mysql=

Also adding the option: output database - in the snort.conf file
doesn't work either.

Should I downgrade to version 2.9.3 or am I missing something?

I have gone through the Snort user manual from www.snort.org/docs and
saw some information on this under preprocessor_stream5 but nothing to
add to my snort.conf.


What am I missing???


Thanks.


Kaya

----------------------------------------------------------------------
-------- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free
Trial Remotely access PCs and mobile devices and provide instant
support Improve your efficiency, and focus on delivering more
value-add services Discover what IT Professionals Know. Rescue
delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

----------------------------------------------------------------------------
--
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely
access PCs and mobile devices and provide instant support Improve your
efficiency, and focus on delivering more value-add services Discover what IT
Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!



------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]