Pozdrav svima. Imam problem sa snort-om, sve je lepo radilo neko vreme i sad odjednom primetim da BASE ne prijavljuje vise nista. Proverim logove i pronadjem ovo:
<snip>
May 31 08:47:37 src@kerber snort[11529]: database: mysql_error: MySQL
server has gone away SQL=INSERT INTO event (
sid,cid,signature,timestamp) VALUES ('3', '15', '0', '2006-05-31 08:47
:37.291+002')
May 31 08:47:37 src@kerber snort[11529]: database: mysql_error: MySQL
server has gone away SQL=ROLLBACK
May 31 08:57:52 src@kerber snort[11529]: database: mysql_error: MySQL
server has gone away SQL=BEGIN
May 31 08:57:52 src@kerber snort[11529]: database: mysql_error: MySQL
server has gone away
May 31 08:57:52 src@kerber snort[11529]: database: mysql_error: MySQL
server has gone away
May 31 08:57:52 src@kerber snort[11529]: database: mysql_error: MySQL
server has gone away SQL=INSERT INTO sig_cla
ss (sig_class_name) VALUES ('misc-activity')
May 31 08:57:52 src@kerber snort[11529]: database: mysql_error: MySQL
server has gone away
May 31 08:57:52 src@kerber snort[11529]: database: unable to write cla
ssification
May 31 08:57:52 src@kerber snort[11529]: database: mysql_error: MySQL
server has gone away SQL=INSERT INTO signatu
re (sig_name,sig_priority,sig_rev,sig_sid) VALUES ('MS-SQL ping attemp
t',3,4,2049)
May 31 08:57:52 src@kerber snort[11529]: database: mysql_error: MySQL
server has gone away
May 31 08:57:52 src@kerber snort[11529]: database: Problem inserting a
new signature 'MS-SQL ping attempt'
May 31 08:57:52 src@kerber snort[11529]: database: mysql_error: MySQL
server has gone away
May 31 08:57:52 src@kerber snort[11529]: database: mysql_error: MySQL
server has gone away SQL=INSERT INTO referen
ce_system (ref_system_name) VALUES ('nessus')
<snip>
Iz prilozenog se vidi i ne vidi šta je i ne mogu da pronađem rešenje! Evo mojih fajlova:
Kod: /etc/snort.conf
# $Id: Exp $
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/2 4,64.12.161.0/24,64.12.163.0
/24,205.188.5.0/24,205.188.9.0/24]
var HTTP_PORTS 80
var SHELLCODE_PORTS !$HTTP_PORTS
var ORACLE_PORTS 1521
var HOME_NET 192.168.0.0/16
var TELNET_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var RULE_PATH /etc/snort/rules
var EXTERNAL_NET !$HOME_NET
var SSH_PORTS 22
#To get anything new from Bleeding Snort
include $RULE_PATH/bleeding.conf
#Output plugins
output database: log, mysql, user=snort password=snortpwd dbname=snort host=localhost sensor_name=NET detail=full
output alert_syslog: LOG_AUTH LOG_ALERT LOG_CONS LOG_NDELAY LOG_PERROR LOG_PID
#Flow and stream
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts,detect_scans
preprocessor stream4_reassemble: both, ports all
#XLink2State mini proc
preprocessor xlink2state: ports { 25 691 }
#HTTP Inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
ports { 80 8080 3128 } \
no_alerts \
non_strict \
non_rfc_char { 0x00 } \
flow_depth 0 \
apache_whitespace yes \
directory no \
iis_backslash no \
u_encode yes \
ascii no \
chunk_length 500000 \
bare_byte yes \
double_decode yes \
iis_unicode yes \
iis_delimiter yes \
multi_slash no
#Other preprocs
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
#Flow Portscan
preprocessor flow-portscan: \
talker-sliding-scale-factor 0.50 \
talker-fixed-threshold 30 \
talker-sliding-threshold 30 \
talker-sliding-window 20 \
talker-fixed-window 30 \
scoreboard-rows-talker 30000 \
server-watchnet $HOME_NET \
server-ignore-limit 200 \
server-rows 65535 \
no_alerts \
non_strict \
non_rfc_char { 0x00 } \
flow_depth 0 \
apache_whitespace yes \
directory no \
iis_backslash no \
u_encode yes \
ascii no \
chunk_length 500000 \
bare_byte yes \
double_decode yes \
iis_unicode yes \
iis_delimiter yes \
multi_slash no
#Other preprocs
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
#Flow Portscan
preprocessor flow-portscan: \
talker-sliding-scale-factor 0.50 \
talker-fixed-threshold 30 \
talker-sliding-threshold 30 \
talker-sliding-window 20 \
talker-fixed-window 30 \
scoreboard-rows-talker 30000 \
server-watchnet $HOME_NET \
server-ignore-limit 200 \
server-rows 65535 \
server-learning-time 14400 \
server-scanner-limit 4 \
scanner-sliding-window 20 \
scanner-sliding-scale-factor 0.50 \
scanner-fixed-threshold 15 \
scanner-sliding-threshold 40 \
scanner-fixed-window 15 \
scoreboard-rows-scanner 30000 \
# src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
# dst-ignore-net [10.0.0.0/30] \
alert-mode once \
output-mode msg \
tcp-penalties on
#Required files
include classification.config
include reference.config
#Rulesets, all optional
#General
include $RULE_PATH/bleeding.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/shellcode.rules
include $RULE_PATH/community-ftp.rules
include $RULE_PATH/community-misc.rules
#Mostly Spyware
include $RULE_PATH/bleeding-malware.rules
#Network issues
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/snmp.rules
#Exploits and direct attacks
include $RULE_PATH/exploit.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/community-exploit.rules
#Scans and recon
include $RULE_PATH/scan.rules
include $RULE_PATH/bleeding-scan.rules
#Unusual stuff
include $RULE_PATH/finger.rules
#R-services, etc
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
#DOS
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/bleeding-dos.rules
#Web issues
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/bleeding-web.rules
include $RULE_PATH/community-web-cgi.rules
include $RULE_PATH/community-web-client.rules
include $RULE_PATH/community-web-dos.rules
include $RULE_PATH/community-web-misc.rules
#SQL and DB sigs
include $RULE_PATH/sql.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/community-sql-injection.rules
#Informational stuff
#include $RULE_PATH/icmp.rules
include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
#Windows stuff
include $RULE_PATH/netbios.rules
#Compromise responses
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/bleeding-attack_response.rules
#Mail sigs
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/community-mail-client.rules
#Trojans, Viruses, and spyware
include $RULE_PATH/backdoor.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/bleeding-virus.rules
include $RULE_PATH/community-virus.rules
#Policy Sigs
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/bleeding-policy.rules
include $RULE_PATH/bleeding-p2p.rules
include $RULE_PATH/bleeding-inappropriate.rules
include $RULE_PATH/community-game.rules
include $RULE_PATH/community-inappropriate.rules
#Experimental
include $RULE_PATH/experimental.rules
Od ovoga je valjda najvažnija linija output database: koja bi trebalo da je ispravna..
Kod: /etc/mysql/my.cnf
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
[mysql]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8
[mysqladmin]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8
[mysqlcheck]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8
[mysqldump]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8
[mysqlimport]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8
[mysqlshow]
character-sets-dir=/usr/share/mysql/charsets
default-character-set=utf8
[myisamchk]
character-sets-dir=/usr/share/mysql/charsets
[myisampack]
character-sets-dir=/usr/share/mysql/charsets
[mysqld_safe]
err-log = /var/log/mysql/mysql.err
[mysqld]
character-set-server = utf8
default-character-set = utf8
user = mysql
port = 3306
socket = /var/run/mysqld/mysqld.sock
pid-file = /var/run/mysqld/mysqld.pid
log-error = /var/log/mysql/mysqld.err
basedir = /usr
datadir = /var/lib/mysql
server-id = 1
max_connections = 200
wait_timeout = 15
thread_concurrency = 2
log_slow_queries = /var/log/mysqld.slow.log
long_query_time = 2
key_buffer = 16M
max_allowed_packet = 1M
table_cache = 64
sort_buffer_size = 512K
net_buffer_length = 8K
read_buffer_size = 256K
read_rnd_buffer_size = 512K
myisam_sort_buffer_size = 8M
language = /usr/share/mysql/english
bind-address = 127.0.0.1
log-bin
skip-locking
tmpdir = /tmp/
innodb_buffer_pool_size = 16M
innodb_additional_mem_pool_size = 2M
innodb_data_file_path = ibdata1:10M:autoextend:max:128M
innodb_log_file_size = 5M
innodb_log_buffer_size = 8M
set-variable = innodb_log_files_in_group=2
innodb_flush_log_at_trx_commit = 1
innodb_lock_wait_timeout = 50
[mysqldump]
quick
max_allowed_packet = 16M
[mysql]
[isamchk]
key_buffer = 20M
sort_buffer_size = 20M
read_buffer = 2M
write_buffer = 2M
[myisamchk]
key_buffer = 20M
sort_buffer_size = 20M
read_buffer = 2M
write_buffer = 2M
[mysqlhotcopy]
interactive-timeout
Šta li se događa? Ima li neko ideju?
Pozdrav
| 
Oglašeno: 31 May 06 09:32 Izmenio: z10n
