J'ai décidé de rediriger mes alertes snorts vers une base de donnée locale mysql, pour analyser les alertes via ACID.
Donc j'ai donc rajouté dans mon fichier snort.conf
Code :
- output database: log, mysql, user=snort password=slsfr42 dbname=snort host=localhost
|
J'ai bien une base snort et un user snort qui a le droit de faire des select, update, delete dans la base snort
Code :
- [root@stpxfd2a ~]# mysql -u snort --password='XXXX' snort
- Reading table information for completion of table and column names
- You can turn off this feature to get a quicker startup with -A
- Welcome to the MySQL monitor. Commands end with ; or \g.
- Your MySQL connection id is 54 to server version: 5.0.27
- Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
- mysql> show tables;
- +------------------+
- | Tables_in_snort |
- +------------------+
- | acid_ag |
- | acid_ag_alert |
- | acid_event |
- | acid_ip_cache |
- | data |
- | detail |
- | encoding |
- | event |
- | icmphdr |
- | iphdr |
- | opt |
- | reference |
- | reference_system |
- | schema |
- | sensor |
- | sig_class |
- | sig_reference |
- | signature |
- | tcphdr |
- | udphdr |
- +------------------+
- 20 rows in set (0.00 sec)
- mysql> select * from detail;
- +-------------+-------------+
- | detail_type | detail_text |
- +-------------+-------------+
- | 0 | fast |
- | 1 | full |
- +-------------+-------------+
- 2 rows in set (0.00 sec)
|
Quand je stop snort, je voies qu'il y a eu des alerts et des infos loggué
Code :
- Mar 29 12:55:05 stpxfd2a snort[6373]: Snort received 404901 packets
- Mar 29 12:55:05 stpxfd2a snort[6373]: Analyzed: 202449(50.000%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: Dropped: 0(0.000%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: Outstanding: 202452(50.000%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: ===============================================================================
- Mar 29 12:55:05 stpxfd2a snort[6373]: Breakdown by protocol:
- Mar 29 12:55:05 stpxfd2a snort[6373]: TCP: 136626 (67.487%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: UDP: 10645 (5.258%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: ICMP: 26 (0.013%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: ARP: 23903 (11.807%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: EAPOL: 0 (0.000%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: IPv6: 0 (0.000%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: ETHLOOP: 11 (0.005%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: IPX: 0 (0.000%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: FRAG: 0 (0.000%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: OTHER: 31128 (15.376%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: DISCARD: 110 (0.054%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: ===============================================================================
- Mar 29 12:55:05 stpxfd2a snort[6373]: Action Stats:
- Mar 29 12:55:05 stpxfd2a snort[6373]: ALERTS: 2
- Mar 29 12:55:05 stpxfd2a snort[6373]: LOGGED: 12
- Mar 29 12:55:05 stpxfd2a snort[6373]: PASSED: 0
- Mar 29 12:55:05 stpxfd2a snort[6373]: ===============================================================================
- Mar 29 12:55:05 stpxfd2a snort[6373]: TCP Stream Reassembly Stats:
- Mar 29 12:55:05 stpxfd2a snort[6373]: TCP Packets Used: 135158 (66.762%)
- Mar 29 12:55:05 stpxfd2a snort[6373]: Stream Trackers: 471
- Mar 29 12:55:05 stpxfd2a snort[6373]: Stream flushes: 69
- Mar 29 12:55:05 stpxfd2a snort[6373]: Segments used: 69
- Mar 29 12:55:05 stpxfd2a snort[6373]: Segments Queued: 69
- Mar 29 12:55:05 stpxfd2a snort[6373]: Stream4 Memory Faults: 0
- Mar 29 12:55:05 stpxfd2a snort[6373]: ===============================================================================
- Mar 29 12:55:05 stpxfd2a kernel: device eth0 left promiscuous mode
- Mar 29 12:55:05 stpxfd2a kernel: audit(1175165705.282:46): dev=eth0 prom=0 old_prom=256 auid=4294967295
|
Une idée sur le problème ?
Message édité par madsurfer le 29-03-2007 à 14:12:47
