Snort mailing list archives
Re: v2.8.4 incorrect logging to MySQL
From: JJ Cummings <cummingsj () gmail com>
Date: Fri, 10 Apr 2009 13:14:02 -0700
Use barnyard.... Or another utility like snort-unified-perl to read snort unifiedx output and send to mysql.... That would be the correct way to do it. Sent from the iRoad On Apr 10, 2009, at 9:52 AM, "Danny Paul" <JDPAUL () GoColumbiaMO com> wrote:
It appears that version 2.8.4 does not properly log to mysql. I have the following line in my config file (***** = redacted): output database: log, mysql, user=***** password=***** dbname=snortdb host=localhost sensor_name=***** encoding=hex detail=full The tables are empty when snort is started. When I start snort, it does start making entries into the event, tcphdr, iphdr, and data tables. However, it never makes an entry for itself in the sensor table and never inserts anything into the signature table. That means that there is no way to correlate events to the sensor that generated them or the signature triggering the alert. I logged all MySQL queries to confirm this behavior. Snort will query the sensor and signature tables but never inserts. What could be the cause of this? Particulars: OpenSuSE 11.1 Snort 2.8.4 Mysql 5.0.67 Phil Wood's libpcap ver:0.9.8.20081128 Snort compiled from source using configuration directives: --with-mysql --enable-dynamicplugin --with-libpcap-libraries=/usr/local/lib --with-libpcap-includes=/path/to/libpcap-0.9.8.20081128 Thanks, Danny Paul ** Virus scanned by City of Columbia MO Email Firewall ** --- --- --- --------------------------------------------------------------------- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- v2.8.4 incorrect logging to MySQL Danny Paul (Apr 10)
- Re: v2.8.4 incorrect logging to MySQL JJ Cummings (Apr 10)
- Re: v2.8.4 incorrect logging to MySQL Danny Paul (Apr 11)
- Re: v2.8.4 incorrect logging to MySQL Stephen Reese (Apr 11)
- Re: v2.8.4 incorrect logging to MySQL Danny Paul (Apr 11)
- Re: v2.8.4 incorrect logging to MySQL Stephen Reese (Apr 11)
- Re: v2.8.4 incorrect logging to MySQL Stephen Reese (Apr 11)
- Re: v2.8.4 incorrect logging to MySQL Matt Watchinski (Apr 11)
- Re: v2.8.4 incorrect logging to MySQL Stephen Reese (Apr 11)
- Re: v2.8.4 incorrect logging to MySQL Danny Paul (Apr 13)
- Re: v2.8.4 incorrect logging to MySQL James Lay (Apr 13)
- Re: v2.8.4 incorrect logging to MySQL Joel Esler (Apr 13)
- Re: v2.8.4 incorrect logging to MySQL Danny Paul (Apr 11)
- Re: v2.8.4 incorrect logging to MySQL JJ Cummings (Apr 10)