Snort mailing list archives
Re: All alerts not getting logged to MySQL??
From: WTWork <securitygauntlet () snet net>
Date: Sun, 15 Sep 2002 23:14:04 -0400
Try changing this entry in REDoutput database: alert, mysql, dbname=snort user=snort password=snort host=192.168
.xxx.xx sensor_name=s-1 port=3306 detail=full At 10:06 AM 9/12/2002 -0500, Alan Kloster wrote:
Hello, Here are some details: Snort started with the following command line: /usr/local/bin/snort -o -i eth1 -d -D -c /usr/local/snort/snort.conf Database output plug in conf:output database: log, mysql, dbname=snort user=snort password=snort host=192.168.xxx.xx sensor_name=s-1 port=3306 detail=full Snort version is 1.8.7 on Redhat Linux -> MySQL, Acid on WIN2K with IIS Okay here's the rub:If I tail the /var/log/snort/alert and watch the alerts scroll across I see a bunch ofFTP Exploit CWD Overflow alerts almost constantly. When I go back and look atthe database using ACID, I only see the first alert of this type since I restarted Snort, but a wc-l on /var/log/snort/alert shows 642 instances of the alert. What gives? All of the other alert types appear in the database as they are added to /var/log/snort/alert.Strange part #2 - I have another box set up with the same configuration, but it doesn't have this problem. I have compared the two snort.conf and snortd files and they appear to be the same.Tried to set output database: alert. That works and sends all of the alerts to the database, but nothing gets logged to /var/log/snort/alert anymore which is something I want to see. I also begin to see all of the portscans as well in the database, which I really don't want to see. Any help to solvethis mystery would be appreciated.Also if anyone has a chart of what options cause what to happen when they are selected, it would be helpful as I find the FAQ and other resources on the web to be very vague on what actually gets logged when alert or log is selected. Thanks for your help. You guys are great and it's a great product!------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
Current thread:
- All alerts not getting logged to MySQL?? Alan Kloster (Sep 15)
- Re: All alerts not getting logged to MySQL?? WTWork (Sep 15)
- Re: All alerts not getting logged to MySQL?? Goldmoon (Sep 16)
- Re: All alerts not getting logged to MySQL?? Goldmoon (Sep 16)
- Re: All alerts not getting logged to MySQL?? WTWork (Sep 15)