Snort mailing list archives
loggin to mySQL
From: Blake Frantz <blake () mc net>
Date: Sun, 17 Jun 2001 13:52:37 -0500 (CDT)
Hello, I'm having a problem getting snort to log to mySQL. Everything is being logged to /var/log/snort. Below are the details, any help is appreciated. This is what snort says when I fire it up with : 'snort -c snort.conf -i eth1' Initializing rule chains... database: compiled support for ( mysql postgresql ) database: configured to use mysql database: user = snort database: database name = snort database: host = localhost database: sensor name = 192.168.69.99 database: sensor id = 2 database: using the "log" facility 633 Snort rules read... 633 Option Chains linked into 631 Chain Headers 0 Dynamic rules This is the access mySQL says user snort has on dB 'snort' : Access-rights for USER 'snort', from HOST 'localhost', to DB 'snort' +-----------------+---+ +-----------------+---+ | Select_priv | Y | | Shutdown_priv | N | | Insert_priv | Y | | Process_priv | N | | Update_priv | N | | File_priv | N | | Delete_priv | N | | Grant_priv | N | | Create_priv | Y | | References_priv | N | | Drop_priv | N | | Index_priv | N | | Reload_priv | N | | Alter_priv | N | +-----------------+---+ +-----------------+---+ BEWARE: Everybody can access your DB as user `snort' from host `localhost' : WITHOUT supplying a password. : Be very careful about it!! The following rules are used: db :'localhost','snort','snort','Y','Y','N','N','Y','N','N','N','N','N' host:'Not processed: host-field is not empty in db-table.' user:'localhost','snort','','N','N','N','N','N','N','N','N','N','N','N','N','N','N' This is how I have loggin setup in my snort.conf: ruletype log2mySQL { type log output database: log, mysql, user=snort dbname=snort host=localhost } This is what snort says fter I kill the process : Snort received 152661 packets and dropped 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 124175 (81.340%) ALERTS: 3 UDP: 26187 (17.154%) LOGGED: 3 ICMP: 1984 (1.300%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 315 (0.206%) DISCARD: 0 (0.000%) So it *did* log data. This is the result when I query my 'snort' dB from mysql : mysql> use snort; select * from data; Database changed Empty set (0.00 sec) mysql> this is logged to /var/log/snort: drwx------ 2 root root 4096 Jun 17 13:17 x.y.x.0 drwx------ 2 root root 4096 Jun 17 13:15 x.y.z.1 -rw-r--r-- 1 root root 1060 Jun 17 13:17 alert -rw-r--r-- 1 root root 0 Jun 17 13:12 log -rw-r--r-- 1 root root 0 Jun 17 13:12 portscan.log Thanks in advance. Blake _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spade reports Josh Gentry (Jun 16)
- Re: spade reports James Hoagland (Jun 17)
- loggin to mySQL Blake Frantz (Jun 17)
- RE: loggin to mySQL Jason Lewis (Jun 17)
- Re: loggin to mySQL Grant Parkinson (Jun 17)
- Re: loggin to mySQL Guillaume (Jun 17)
- loggin to mySQL Blake Frantz (Jun 17)
- Re: spade reports James Hoagland (Jun 17)