RE: Acid 0.9.6bx Portscan problem

["Stefan Dens" <sdens () ovam be>]

> "** Remove the # before the "output database: log, mysql, user=snort
> dbname=snort host=localhost" to activate MySQL. "
> to get snort to log to the MySQL DB.  OK.  I did that, and Snort does
indeed
> log to the MySQL DB.

If this is working than you only have to change:
output database: log, mysql, user=snort ......
into
output database: alert, mysql, user=snort .......

the portscans will only be logged to the database with "alert".

enjoy,
Stefan Dens


-----Oorspronkelijk bericht-----
Van: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]Namens
bthaler () webstream net
Verzonden: donderdag 26 juli 2001 15:47
Aan: snort-users () lists sourceforge net
Onderwerp: [Snort-users] Acid 0.9.6bx Portscan problem


I'm using Acid-0.9.6b12, Snort-1.7, and MySQL running on WinNT.

I can't seem to get the portscan feature in Acid to work, and I'm a little
confused. From the "Snort on Windows" doc at www.snort.org, I'm supposed to
do this:
"** Remove the # before the "output database: log, mysql, user=snort
dbname=snort host=localhost" to activate MySQL. "
to get snort to log to the MySQL DB.  OK.  I did that, and Snort does indeed
log to the MySQL DB.

> From the Acid FAQ, to get the portscan/spade alerts to work, I need to set
this:
"output database: alert, mysql, user=snort, dbname=snort_log host=localhost
password=foo"
in my snort.conf file.  This is where I'm confused.  When I run Snort from
the command-line to test the new configuration, I get this error:

Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Using LOCAL time
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database: database name = snort
database:          host = localhost
database:   sensor name = SNORT
database:     sensor id = 1
database: using the "log" facility
database: compiled support for ( mysql )
database: configured to use mysql
database:          user = snort
database:          host = localhost
database: must enter database name in configuration file

The database name is specified in the snort.conf file.  Am I supposed to
have only 1 output plugin enabled?

Anyone have any ideas?  Roman, I'm sure you know the answer to this one, and
everyone please excuse my ignorance if you've covered this before.


Thanks,
Brad T.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



*****************************************************************************
Openbare Afvalstoffenmaatschappij voor het Vlaamse Gewest (OVAM)

De inhoud van deze e-mail en zijn toegevoegde bestanden is vertrouwelijk
en alleen bestemd voor het gebruik door de geadresseerde personen.
Indien u per vergissing deze e-mail ontvangen hebt, gelieve deze e-mail en
de toegevoegde bestanden te vernietigen. Kopieren, verdelen of ander
gebruik, onder welke vorm ook, van de inhoud van deze e-mail en de 
toegevoegde bestanden is ten strengste verboden. De inhoud van deze
e-mail en zijn toegevoegde bestanden is afkomstig van de auteur en
verbindt niet noodzakelijk de OVAM tenzij dit bevestigd wordt d.m.v. een
terzake geldig ondertekend document van de OVAM.
Deze voetnoot bevestigt dat de e-mail en zijn toegevoegde bestanden is
gecontroleerd op computervirussen wat niet garandeert dat hij volledig vrij
is van computervirussen.
*****************************************************************************

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users