Snort mailing list archives

RE: Database logging

From: "Mayers, Philip J" <p.mayers () ic ac uk>
Date: Wed, 8 Aug 2001 10:04:25 +0100

It's postgres dying i.e. the postmaster fails, which doesn't make me feel
warm and fuzzy - I like postgres, and have never seen the postmaster get
killed. I'll give the daily snap a try though.

Re: -A/-s - Ahhh, the light dawns.

Regards, 
Phil 

+----------------------------------+ 
| Phil Mayers, Network Support     | 
| Centre for Computing Services    | 
| Imperial College                 | 
+----------------------------------+ 


-----Original Message-----
From: Jed Pickel [mailto:jed () pickel net]
Sent: 08 August 2001 06:31
To: Mayers, Philip J
Cc: 'snort-users () sourceforge net'
Subject: Re: [Snort-users] Database logging


On Tue, Aug 07, 2001 at 06:07:22PM +0100, Mayers, Philip J wrote:

I'm trying to database log into Postgresql, and am having some problems:

1) We're dropping a small (5%) amount of packets, although we are under

high

load 
2) After an indeterminate period of time, Postgresql (7.1.2) seems to go
belly up and snort dies.


There are a couple circumstances that can cause a fatal error in the
database plugin resulting in snort quitting in both the 1.8 and 1.8P1
of snort. This was recently corrected in the development version. If
you get a chance, you may want to grab the latest devel version at the
following url and see if this prevents things from going "belly
up". 

     http://snort.sourceforge.net/snort-daily.tar.gz

If this does not fix the problem let me know.

So, what I want to do is either:

1) Log to a pcap/binary file, HUP snort hourly to re-open the files, and
then run a second copy of snort with the same ruleset, *just* logging into
Postgres. However, I do this:

/usr/local/bin/snort -A none -c snort-dblog.conf -r snort-<date>.log

This doesn't work - and if I do -A fast/full, I get the alert file/IP-base
directories, which I don't want. Either way, postgres never seems to get

the

logs.


The -A or -s command line options override ALL of your output
plugins. If you loose the "-A none" that command will work as you
expect.

* Jed

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Database logging gerhard (Jul 09)
- <Possible follow-ups>
- RE: Database logging Kevin Brown (Jul 09)
- Database logging Mayers, Philip J (Aug 07)
  - Re: Database logging Jed Pickel (Aug 07)
- RE: Database logging Mayers, Philip J (Aug 08)