Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] snort-mysql sensors

0 views
Skip to first unread message

Mohamed Eldesoky

unread,
Jun 21, 2005, 2:00:46 PM6/21/05
to
At last I have run snort-mysql and BASE on my bridged firewall.
I have two interfaces working, but BASE reports that I have three sensors ?=
?
Howcome ???

--=20
Mohamed Eldesoky
www.eldesoky.net
RHCE


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Joel Esler

unread,
Jun 21, 2005, 2:11:10 PM6/21/05
to
This can happen if you change the name of the sensor at some point and
it logs a new sid in the db. Seperate the sensors and then delete
everything under whatever sensor is incorrect.

Joel

On 6/21/05, Mohamed Eldesoky <eldesok...@gmail.com> wrote:
> At last I have run snort-mysql and BASE on my bridged firewall.

> I have two interfaces working, but BASE reports that I have three sensors=
??
> Howcome ???
>=20
> --
> Mohamed Eldesoky
> www.eldesoky.net
> RHCE
>=20
>=20


> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to

> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id=16492&opclick


> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:

> http://www.geocrawler.com/redir-sf.php3?listsnort-users

Miner, Jonathan W (CSC) (US SSA)

unread,
Jun 21, 2005, 2:13:49 PM6/21/05
to
SWYgeW91IGNoYW5nZSB0aGUgaW50ZXJmYWNlLCBsaWtlIHN3aXRjaGluZyBmcm9tIGV0aDAgdG8g
ZXRoMSwgb3IgY2hhbmdlIHRoZSBJUCBhZGRyZXNzIHlvdSB3aWxsIGVuZCB1cCB3aXRoIG11bHRp
cGxlIHNlbnNvciBlbnRyaWVzLiAgSSBkb24ndCB0aGluayB5b3UgY2FuIGZpeCBpdCB2aWEgQkFT
RS4gYnV0IHlvdSBtaWdodCBiZSBhYmxlIHRvIGdvIGludG8gdG8gbXlzcWwgYW5kIGNoYW5nZSB0
aGUgdGFibGUgZGlyZWN0bHkuDQoNCgktLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLSANCglGcm9t
OiBzbm9ydC11c2Vycy1hZG1pbkBsaXN0cy5zb3VyY2Vmb3JnZS5uZXQgb24gYmVoYWxmIG9mIE1v
aGFtZWQgRWxkZXNva3kgDQoJU2VudDogVHVlIDA2LzIxLzIwMDUgMTA6MDEgQU0gDQoJVG86IFNu
b3J0IFVzZXJzIA0KCUNjOiANCglTdWJqZWN0OiBbU25vcnQtdXNlcnNdIHNub3J0LW15c3FsIHNl
bnNvcnMNCgkNCgkNCg0KCUF0IGxhc3QgSSBoYXZlIHJ1biBzbm9ydC1teXNxbCBhbmQgQkFTRSBv
biBteSBicmlkZ2VkIGZpcmV3YWxsLg0KCUkgaGF2ZSB0d28gaW50ZXJmYWNlcyB3b3JraW5nLCBi
dXQgQkFTRSByZXBvcnRzIHRoYXQgSSBoYXZlIHRocmVlIHNlbnNvcnMgPz8NCglIb3djb21lID8/
Pw0KCQ0KCS0tDQoJTW9oYW1lZCBFbGRlc29reQ0KCXd3dy5lbGRlc29reS5uZXQNCglSSENFDQoJ
DQoJDQoJLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLQ0KCVNGLk5ldCBlbWFpbCBpcyBzcG9uc29yZWQgYnk6IERpc2NvdmVyIEVhc3kgTGludXgg
TWlncmF0aW9uIFN0cmF0ZWdpZXMNCglmcm9tIElCTS4gRmluZCBzaW1wbGUgdG8gZm9sbG93IFJv
YWRtYXBzLCBzdHJhaWdodGZvcndhcmQgYXJ0aWNsZXMsDQoJaW5mb3JtYXRpdmUgV2ViY2FzdHMg
YW5kIG1vcmUhIEdldCBldmVyeXRoaW5nIHlvdSBuZWVkIHRvIGdldCB1cCB0bw0KCXNwZWVkLCBm
YXN0LiBodHRwOi8vYWRzLm9zZG4uY29tLz9hZF9pZHQ3NyZhbGxvY19pZBY0OTImb3A9aWNrDQoJ
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCglTbm9ydC11
c2VycyBtYWlsaW5nIGxpc3QNCglTbm9ydC11c2Vyc0BsaXN0cy5zb3VyY2Vmb3JnZS5uZXQNCglH
byB0byB0aGlzIFVSTCB0byBjaGFuZ2UgdXNlciBvcHRpb25zIG9yIHVuc3Vic2NyaWJlOg0KCWh0
dHBzOi8vbGlzdHMuc291cmNlZm9yZ2UubmV0L2xpc3RzL2xpc3RpbmZvL3Nub3J0LXVzZXJzDQoJ
U25vcnQtdXNlcnMgbGlzdCBhcmNoaXZlOg0KCWh0dHA6Ly93d3cuZ2VvY3Jhd2xlci5jb20vcmVk
aXItc2YucGhwMz9saXN0PW9ydC11c2Vycw0KCQ0KDQo=

Will Metcalf

unread,
Jun 21, 2005, 2:48:55 PM6/21/05
to
I'm guessing that the IP or name changed because if you are in
Inlinemode() escapedInterfaceName is always equal to NULL so if we are
in Inlinemode() we always set escapedInterfaceName =3D inline.

Regards,

Will
On 6/21/05, Miner, Jonathan W (CSC) (US SSA)
<jonathan...@baesystems.com> wrote:
> If you change the interface, like switching from eth0 to eth1, or change =
the IP address you will end up with multiple sensor entries. I don't think=
you can fix it via BASE. but you might be able to go into to mysql and cha=
nge the table directly.
>=20


> -----Original Message-----
> From: snort-us...@lists.sourceforge.net on behalf of Mohame=
d Eldesoky
> Sent: Tue 06/21/2005 10:01 AM
> To: Snort Users
> Cc:
> Subject: [Snort-users] snort-mysql sensors
>=20
>=20
>=20
> At last I have run snort-mysql and BASE on my bridged firewall.

> I have two interfaces working, but BASE reports that I have three=
sensors ??


> Howcome ???
>=20
> --
> Mohamed Eldesoky
> www.eldesoky.net
> RHCE
>=20
>=20

> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strat=
egies
> from IBM. Find simple to follow Roadmaps, straightforward article=
s,
> informative Webcasts and more! Get everything you need to get up =
to
> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id=16492&op=3Dic=


k
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:

> http://www.geocrawler.com/redir-sf.php3?list=3Dort-users
>=20
>=20

Mohamed Eldesoky

unread,
Jun 22, 2005, 4:08:31 AM6/22/05
to
Thanks for all,
In fact, I have added another interface and IP (for the bridge
interface) during the test.

Will,=20
I didn't understand what do you mean by Inlinemode().
If you mean snort-inline, I didn't run it (yet)

On 6/21/05, Will Metcalf <william...@gmail.com> wrote:
> I'm guessing that the IP or name changed because if you are in
> Inlinemode() escapedInterfaceName is always equal to NULL so if we are
> in Inlinemode() we always set escapedInterfaceName =3D inline.

>=20
> Regards,
>=20


> Will
> On 6/21/05, Miner, Jonathan W (CSC) (US SSA)
> <jonathan...@baesystems.com> wrote:

> > If you change the interface, like switching from eth0 to eth1, or chang=
e
> the IP address you will end up with multiple sensor entries. I don't thi=
nk


> you can fix it via BASE. but you might be able to go into to mysql and

> change the table directly.


> >=20
> > -----Original Message-----
> > From: snort-us...@lists.sourceforge.net on behalf of Moha=
med
> Eldesoky
> > Sent: Tue 06/21/2005 10:01 AM
> > To: Snort Users
> > Cc:
> > Subject: [Snort-users] snort-mysql sensors
> >=20
> >=20
> >=20
> > At last I have run snort-mysql and BASE on my bridged firewall.

> > I have two interfaces working, but BASE reports that I have thr=
ee


> sensors ??
> > Howcome ???
> >=20
> > --
> > Mohamed Eldesoky
> > www.eldesoky.net
> > RHCE
> >=20
> >=20
> > -------------------------------------------------------
> > SF.Net email is sponsored by: Discover Easy Linux Migration

> Strategies
> > from IBM. Find simple to follow Roadmaps, straightforward
> articles,

> > informative Webcasts and more! Get everything you need to get u=
p
> to
> > speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id=16492&op=3D=
ick


> > _______________________________________________
> > Snort-users mailing list
> > Snort...@lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=3Dort-users
> >=20
> >=20
> >

>=20


--=20
Mohamed Eldesoky
www.eldesoky.net
RHCE

0 new messages