Snort mailing list archives

Re: snort will not log to mysql

From: Hans Steinraht <hsteinraht () openlot com>
Date: Thu, 5 Jun 2003 08:50:43 +0200

This works, thanks.

On little question, in acid the bar for Portscan Traffic keeps the value 0%,
but when I click on it the scans are reported there.
Any idea how that comes

Hans


On Wed, Jun 04, 2003 at 07:48:07AM -0500, Bamm Visscher wrote:

The portscan preprocs call the 'alert' function, not the 'log' function. Change your config so that the data base 
output plugin attaches to the 'alert' facility:

   output database: alert, mysql, user=snort password=snort dbname=snort host=localhost

Bammkkkk

On Tue, Jun 03, 2003 at 03:42:48PM +0200, Hans Steinraht wrote:


-- 
Hi,

i'm just started playing with snort (version 2.0.0-3.1) on Linux Debian.

When I add some rules like these in local.rules:
  #alert ip any any -> any any (msg:"Got an IP packet";)
  #alert tcp any any -> any any (msg:"Got an TCP packet";)
  #alert udp any any -> any any (msg:"Got an UDP packet";)
  #alert icmp any any -> any any (msg:"Got an ICMP packet";)

all kind of data is inserted in mysql.


When I remove the rules and do a scan to the firewall computer in our
network I see entrys like "[**] [117:1:1] (spp_portscan2) Portscan detected ....." in my alert.log
and in the portscan2.log, but nothing goes to mysql.

The snort.conf file I have looks like this:

  output database: log, mysql, user=snort password=snort dbname=snort
  host=localhost  

  preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5,
  port_limit 20, timeout 60, log portscan2.log

When I remove the option log from preprocessor portscan2 its going to log to
scan.log, but still not to mysql.

Does anyone has some advice for me on this.

thanks,
Hans


-- 
_________________________
Hans Steinraht
Openlot
Wibautstraat 3
1091 GH Amsterdam
The Netherlands
hsteinraht () openlot com
Phone:   +3120 596 1840
Fax:     +3120 596 3162
www.openlot.com
_________________________



-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort will not log to mysql Hans Steinraht (Jun 03)
- Re: snort will not log to mysql Edin Dizdarevic (Jun 03)
  - Re: snort will not log to mysql Hans Steinraht (Jun 04)
- Re: snort will not log to mysql Bamm Visscher (Jun 04)
  - Re: snort will not log to mysql Hans Steinraht (Jun 05)
- <Possible follow-ups>
- Re: snort will not log to mysql Ron Shuck (Jun 05)