Snort mailing list archives
Snort 1.8.2 + remote MySQL logging
From: Steve Wingate <steve () velosystems net>
Date: Mon, 19 Nov 2001 14:48:02 -0800
I'm trying to get my snort box to log to a MySQL server on the LAN. Upon starting snort, it seems to properly acknowledge the mysql support and the "snoop" utility on Solaris 8 shows a brief flurry of activity indicating the mysql is being logged into. I start snort with "snort -D -d -h 192.168.1.0/24 -c snort.conf" I can also manually log into the mysql server from the snort box. However after that, there doesn't seem to be "enough activity" to indicate that the data is actually going into the database. This is only a home LAN with a cable connection, but the alert & portscan.log files show frequent activity at the same time snoop shows no activity to the mysql server box. From reading docs I understand that portscan data isn't logged to mysql, but I'm thinking I should see all the attempted exploit activity on my webserver (WEB-IIS cmd.exe, WEB-FRONTPAGE, WEB-IIS CodeRed, etc) going to the database. The alert log shows quite a few of these entries. The webserver is apache so I'm not losing any sleep over the attempts. I leave snoop running and it goes an hour or more w/o showing any activity after the client login, which I identify by the 3306 destination port in the snoop output. The snort box is OpenBSD 2.9-stable running ipfilter Snort version is 1.8.2 compiled from source with ./configure --with-mysql=/usr/local The box has the MySQL 3.23.41 client only installed, which was installed from the OpenBSD ports tree. The only mysql related entry I've made in snort.conf is shown below, host/user/pw changed to protect the innocent: output database: log, mysql, user=skippy password=foobar dbname=snort host=mysqlbox The "var blah" variables are as follows. var HOME_NET 192.168.1.0/24 var EXTERNAL_NET any var SMTP 192.168.1.1 var HTTP_SERVERS 192.168.1.1 var SQL_SERVERS 192.168.1.2 var DNS_SERVERS [24.5.156.15,24.5.156.17,192.168.1.1] # the 24.x entries above are for my ISP Am I missing anything obvious? Should there be any other mysql related entries in snort.conf? I'm not very good with snort or mysql....I know just enough to get them running and that's about it. TIA. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 1.8.2 + remote MySQL logging Steve Wingate (Nov 19)