Snort mailing list archives
Re: All alerts not getting logged to MySQL??
From: Goldmoon <summer_beha () yahoo com>
Date: Mon, 16 Sep 2002 09:46:45 -0700 (PDT)
Hi, Since you've got this working, can you please help me? I'm in the same boat. I can't get snort to start as IDS or get it to log to MySQL and I can't view it via ACID. My handle on AIM is summer1205, please help! I will be forever grateful!!!! :-) Thanks! --- WTWork <securitygauntlet () snet net> wrote:
Try changing this entry in RED output database: alert, mysql, dbname=snort user=snort password=snort host=192.168 .xxx.xx sensor_name=s-1 port=3306 detail=full At 10:06 AM 9/12/2002 -0500, Alan Kloster wrote:Hello, Here are some details: Snort started with the following command line: /usr/local/bin/snort -o -i eth1 -d -D -c/usr/local/snort/snort.confDatabase output plug in conf: output database: log, mysql, dbname=snortuser=snort password=snorthost=192.168 .xxx.xx sensor_name=s-1 port=3306 detail=full Snort version is 1.8.7 on Redhat Linux -> MySQL,Acid on WIN2K with IISOkay here's the rub: If I tail the /var/log/snort/alert and watch thealerts scroll across Isee a bunch of FTP Exploit CWD Overflow alerts almost constantly.When I go back and look atthe database using ACID, I only see the first alertof this type since Irestarted Snort, but a wc-l on /var/log/snort/alert shows 642instances of the alert. Whatgives? All of the other alert types appear in the database as theyare added to/var/log/snort/alert. Strange part #2 - I have another box set up withthe same configuration,but it doesn't have this problem. I have compared the two snort.conf andsnortd files and theyappear to be the same. Tried to set output database: alert. That worksand sends all of thealerts to the database, but nothing gets logged to /var/log/snort/alert anymorewhich is something Iwant to see. I also begin to see all of the portscans as well in the database,which I really don'twant to see. Any help to solve this mystery would be appreciated. Also if anyone has a chart of what options causewhat to happen when theyare selected, it would be helpful as I find the FAQ and other resources onthe web to be veryvague on what actually gets logged when alert or log is selected. Thanks foryour help. You guys aregreat and it's a great product!-------------------------------------------------------This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
__________________________________________________ Do you Yahoo!? Yahoo! News - Today's headlines http://news.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- All alerts not getting logged to MySQL?? Alan Kloster (Sep 15)
- Re: All alerts not getting logged to MySQL?? WTWork (Sep 15)
- Re: All alerts not getting logged to MySQL?? Goldmoon (Sep 16)
- Re: All alerts not getting logged to MySQL?? Goldmoon (Sep 16)
- Re: All alerts not getting logged to MySQL?? WTWork (Sep 15)