Snort mailing list archives

RE: snort (with mysql) write only in message.log

From: "Joshua Berry" <jberry () PENSON COM>
Date: Thu, 22 Jul 2004 13:12:08 -0500
What parameters are you passing snort from the command line?  What does
the rest of the config look like?

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Stefan
Sabolowitsch
Sent: Thursday, July 22, 2004 12:23 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] snort (with mysql) write only in message.log

Hi list / ng

I have a server WBEL (RHEL) here with snort-mysql.
Snort starts without problems. Yet nothing is written in mysql.
snort write only in message.log

What do I make wrong?
Does anyone have an idea?

To thanks for every aid

Stefan


Infos:

message.log (alarms)
Jul 22 18:27:03 hydra-1 snort: [1:1411:5] SNMP public access udp
[Classification: Attempted Information Leak] [Priority: 2]: {UDP}
192.168.1.51:1609 -> 192.168.1.249:161
Jul 22 18:27:03 hydra-1 snort: [1:1417:4] SNMP request udp
[Classification:
Attempted Information Leak] [Priority: 2]: {UDP} 192.168.1.51:1609 ->
192.168.1.249:161
Jul 22 18:27:03 hydra-1 snort: [1:1411:5] SNMP public access udp
[Classification: Attempted Information Leak] [Priority: 2]: {UDP}
192.168.1.51:1610 -> 192.168.1.249:161
Jul 22 18:27:03 hydra-1 snort: [1:1417:4] SNMP request udp
[Classification:
Attempted Information Leak] [Priority: 2]: {UDP} 192.168.1.51:1610 ->
192.168.1.249:161


Snort.cfg
output database: log, mysql, user=snorty password=snorty dbname=snorty
host=localhost

message.log (start snort)
Jul 22 18:22:59 hydra-1 kernel: eth0: Setting promiscuous mode.
Jul 22 18:22:59 hydra-1 kernel: device eth0 entered promiscuous mode
Jul 22 18:22:59 hydra-1 snort: Initializing daemon mode 
Jul 22 18:22:59 hydra-1 snort: PID path stat checked out ok, PID path
set to
/var/run/ 
Jul 22 18:22:59 hydra-1 snort: Writing PID "8105" to file
"/var/run//snort_eth0.pid" 
Jul 22 18:22:59 hydra-1 snort: ,-----------[Flow
Config]---------------------- 
Jul 22 18:22:59 hydra-1 snort: | Stats Interval:  0 
Jul 22 18:22:59 hydra-1 snort: | Hash Method:     2 
Jul 22 18:22:59 hydra-1 snort: | Memcap:          10485760 
Jul 22 18:22:59 hydra-1 snort: | Rows  :          4099 
Jul 22 18:22:59 hydra-1 snort: | Overhead Bytes:  16400(%0.16) 
Jul 22 18:22:59 hydra-1 snort:
`---------------------------------------------- 
Jul 22 18:22:59 hydra-1 snort: HttpInspect Config: 
Jul 22 18:22:59 hydra-1 snort:     GLOBAL CONFIG 
Jul 22 18:22:59 hydra-1 snortd: Starten von snort succeeded
Jul 22 18:22:59 hydra-1 snort:       Max Pipeline Requests:    0 
Jul 22 18:22:59 hydra-1 snort:       Inspection Type:          STATELESS

Jul 22 18:22:59 hydra-1 snort:       Detect Proxy Usage:       NO 
Jul 22 18:22:59 hydra-1 snort:       IIS Unicode Map Filename:
/etc/snort/unicode.map 
Jul 22 18:22:59 hydra-1 snort:       IIS Unicode Map Codepage: 1252 
Jul 22 18:22:59 hydra-1 snort:     DEFAULT SERVER CONFIG: 
Jul 22 18:22:59 hydra-1 snort:       Ports: 
Jul 22 18:22:59 hydra-1 snort: 80 
Jul 22 18:22:59 hydra-1 snort: 8080 
Jul 22 18:22:59 hydra-1 snort: 8180 
Jul 22 18:22:59 hydra-1 snort:  
Jul 22 18:22:59 hydra-1 snort:       Flow Depth: 300 
Jul 22 18:22:59 hydra-1 snort:       Max Chunk Length: 500000 
Jul 22 18:22:59 hydra-1 snort:       Inspect Pipeline Requests: YES 
Jul 22 18:22:59 hydra-1 snort:       URI Discovery Strict Mode: NO 
Jul 22 18:22:59 hydra-1 snort:       Allow Proxy Usage: NO 
Jul 22 18:22:59 hydra-1 snort:       Disable Alerting: NO 
Jul 22 18:22:59 hydra-1 snort:       Oversize Dir Length: 500 
Jul 22 18:22:59 hydra-1 snort:       Only inspect URI: NO 
Jul 22 18:22:59 hydra-1 snort:       Ascii: YES alert: NO 
Jul 22 18:22:59 hydra-1 snort:       Double Decoding: YES alert: YES 
Jul 22 18:22:59 hydra-1 snort:       %U Encoding: YES alert: YES 
Jul 22 18:22:59 hydra-1 snort:       Bare Byte: YES alert: YES 
Jul 22 18:22:59 hydra-1 snort:       Base36: OFF 
Jul 22 18:22:59 hydra-1 snort:       UTF 8: OFF 
Jul 22 18:22:59 hydra-1 snort:       IIS Unicode: YES alert: YES 
Jul 22 18:22:59 hydra-1 snort:       Multiple Slash: YES alert: NO 
Jul 22 18:22:59 hydra-1 snort:       IIS Backslash: YES alert: NO 
Jul 22 18:22:59 hydra-1 snort:       Directory: YES alert: NO 
Jul 22 18:22:59 hydra-1 snort:       Apache WhiteSpace: YES alert: YES 
Jul 22 18:22:59 hydra-1 snort:       IIS Delimiter: YES alert: YES 
Jul 22 18:22:59 hydra-1 snort:       IIS Unicode Map: GLOBAL IIS UNICODE
MAP
CONFIG 
Jul 22 18:22:59 hydra-1 snort:       Non-RFC Compliant Characters: 
Jul 22 18:22:59 hydra-1 snort: NONE
Jul 22 18:22:59 hydra-1 snort:  
Jul 22 18:22:59 hydra-1 snort: rpc_decode arguments: 
Jul 22 18:22:59 hydra-1 snort:     Ports to decode RPC on: 111 32771  
Jul 22 18:22:59 hydra-1 snort:     alert_fragments: INACTIVE 
Jul 22 18:22:59 hydra-1 snort:     alert_large_fragments: ACTIVE 
Jul 22 18:22:59 hydra-1 snort:     alert_incomplete: ACTIVE 
Jul 22 18:22:59 hydra-1 snort:     alert_multiple_requests: ACTIVE 
Jul 22 18:22:59 hydra-1 snort: telnet_decode arguments: 
Jul 22 18:22:59 hydra-1 snort:     Ports to decode telnet on: 21 23 25
119  
Jul 22 18:22:59 hydra-1 snort: command line overrides rules file alert
plugin! 
Jul 22 18:23:00 hydra-1 snort: Snort initialization completed
successfully  



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

snort (with mysql) write only in message.log Stefan Sabolowitsch (Jul 22)
- Re: snort (with mysql) write only in message.log Dirk Geschke (Jul 22)
- <Possible follow-ups>
- RE: snort (with mysql) write only in message.log Joshua Berry (Jul 22)
- Re: snort (with mysql) write only in message.log amanda smooth (Jul 22)