Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort 1.8.2 + remote MySQL logging

From: Steve Wingate <steve () velosystems net>
Date: Mon, 19 Nov 2001 14:48:02 -0800
I'm trying to get my snort box to log to a MySQL server on the LAN. Upon starting snort, it seems to properly 
acknowledge the mysql support and the "snoop" utility on Solaris 8 shows a brief flurry of activity indicating the 
mysql is being logged into. I start snort with "snort -D -d -h 192.168.1.0/24 -c snort.conf" I can also manually log 
into the mysql server from the snort box. However after that, there doesn't seem to be "enough activity" to indicate 
that the data is actually going into the database. This is only a home LAN with a cable connection, but the alert & 
portscan.log files show frequent activity at the same time snoop shows no activity to the mysql server box. From 
reading docs I understand that portscan data isn't logged to mysql, but I'm thinking I should see all the attempted 
exploit activity on my webserver (WEB-IIS cmd.exe, WEB-FRONTPAGE, WEB-IIS CodeRed, etc) going to the database. The 
alert log shows quite a few of these entries. The webserver is apache so I'm not losing any sleep over the attempts.
I leave snoop running and it goes an hour or more w/o showing any activity after the client login, which I identify by 
the 3306 destination port in the snoop output.

The snort box is OpenBSD 2.9-stable running ipfilter
Snort version is 1.8.2 compiled from source with ./configure --with-mysql=/usr/local
The box has the MySQL 3.23.41 client only installed, which was installed from the OpenBSD ports tree.

The only mysql related entry I've made in snort.conf is shown below, host/user/pw changed to protect the innocent:

        output database: log, mysql, user=skippy password=foobar dbname=snort host=mysqlbox

The "var blah" variables are as follows.
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var SMTP 192.168.1.1
var HTTP_SERVERS 192.168.1.1
var SQL_SERVERS 192.168.1.2
var DNS_SERVERS [24.5.156.15,24.5.156.17,192.168.1.1]
# the 24.x entries above are for my ISP

Am I missing anything obvious? Should there be any other mysql related entries in snort.conf? I'm not very good with 
snort or mysql....I know just enough to get them running and that's about it. TIA.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: