Snort mailing list archives
Re: Snort 1.9 alert log problem
From: Bennett Todd <bet () rahul net>
Date: Mon, 9 Dec 2002 16:47:20 -0500
2002-12-05-09:21:05 Schuler, Jeff:
[...] The boxes log to a MySQL DB and to the local disk. I then noticed that my alert file on each box was 1.4GB in size. One of these boxes registers a few hundred hits a day, the other one maybe 3 hits per day, [...]
Is there any chance that (a) you're logging with MySQL off-machine, and (b) the packets that are being logged to MySQL contain a string that's re-triggering an alert, causing a loop? If so, fixes would include (a) tightening the signature for the looping alert so it won't match on the MySQL logging packet (if you do this, do please submit the fix back, perhaps by emailing it to the snort-sigs list); (b) disabling the sid that's looping (just # it out in the rules file); (c) using a BPF rule to blind snort to the outbound MySQL traffic; (d) moving the MySQL to the local machine; and (e) tunneling the MySQL traffic through some encrypting pipe like e.g. stunnel (for SSL) or ssh with port forwarding. -Bennett
Attachment:
_bin
Description:
Current thread:
- Snort 1.9 alert log problem Schuler, Jeff (Dec 09)
- Re: Snort 1.9 alert log problem Bennett Todd (Dec 09)