Snort mailing list archives
RE: MySQL Logging ?
From: "Brian Ipsen" <snort-bipsen () nerdnet dk>
Date: Mon, 28 Jan 2002 19:46:52 GMT
Hi! I tried to change the interface to the main interface on the PC, but that didn't give me anything in the sql table either (sniffing in snortd set to eth0 which I also use for communicating with the box through http and ssh) - Trying to "fire" snot to trigger events in the database didn't help... For some wierd reason it seems like bad traffic isn't always logged into my syslog - guess I'll have to check up on things to ensure the basic configuration is right (and my compile options has been set correctly). /Brian
-----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: 28. januar 2002 20:23 To: Brian Ipsen Cc: snort-users () lists sourceforge netSubject: Re: [Snort-users] MySQL Logging ?On Mon, 28 Jan 2002, Brian Ipsen wrote: [...snip...] > where interface for test purposes has been set to lo This would be the issue. Loopbacks don't ever really pass any traffic. Normally the kernel will 'short-circuit' and bring them right back to the box, w/o hitting the pcap layer. If it doesn't hit the pcap layer, snort will never see it to log it, and you'll get nothing in the DB. Try your main ether and see what's going on. That should get you some traffic coming in.... Easy test: Compare the output of "snort -dv -i <non-loopback>" to the output of "snort -dv -i <loopback>". Force some traffic over each interface (ping -i <if>) and see if there is a difference. Hope that helps!----- Erek Adams Nifty-Type-GuyTheAdamsFamily.Net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MySQL Logging ? Brian Ipsen (Jan 28)
- Re: MySQL Logging ? Erek Adams (Jan 28)
- <Possible follow-ups>
- RE: MySQL Logging ? Brian Ipsen (Jan 28)