Snort mailing list archives
RE: Snort Stops Sending Alerts to MySQL
From: "Michael Steele" <michaels () silicondefense com>
Date: Fri, 8 Nov 2002 10:04:05 -0800
Ian, Is this ONLY happening on the remote sensors? There is a Windows binary available for 1.9.0, but there is a new 1.9.1 version of Snort being released in the couple of days, and that release will be available on our website. The release version of Snort 1.9.0 had some problems which has been fixed in Snort 1.9.1. -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Parker, Ian Sent: Friday, November 08, 2002 7:25 AM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] Snort Stops Sending Alerts to MySQL I have Snort V1.8.7 sensors running on three Windows XP SP1 machines, each sending alerts to a central ACID console. Periodically, one or more sensors just stops sending alerts. There is nothing in the event logs to indicate a problem. Stopping and restarting the Snort service fixes the problem. Has anyone else noticed this kind of behaviour? Is there a way to troubleshoot this? I would try running V1.9, except that there doesn't seem to be a Windows binary available yet with MySQL suppport. Ian Parker, GCWN Senior Systems Analyst Upgrading Plant Computing Syncrude Canada Ltd (780)790-4631 parker.ian () syncrude com -----Original Message----- From: Parker, Ian [mailto:parker.ian () syncrude com] Sent: Monday, November 04, 2002 3:25 PM To: 'Michael Steele'; 'Parker, Ian' Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Logging to Remote Syslog and ACID Console I am using the Kiwi Syslog daemon on a remote Win2K box and I can send the alerts to it using the -s switch. The problem is that use of the -s switch overrides my attempts to also send the alerts to a MySQL database that is also on the Win2K machine. I understand that a patch was developed to prevent this override behaviour, at least on Windows systems, but it doesn't seem to have made it into the source yet. I couldn't find the patch on sourceforge.net either. Ian Parker, GCWN Senior Systems Analyst Upgrading Plant Computing Syncrude Canada Ltd (780)790-4631 parker.ian () syncrude com -----Original Message----- From: Michael Steele [mailto:michaels () silicondefense com] Sent: Monday, November 04, 2002 3:02 PM To: 'Parker, Ian' Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Logging to Remote Syslog and ACID Console Ian, You will need to use a program like Kiwi Syslog Server, if you want to shove your logs to a remote syslog server. This may have been fixed on a CVS version of Short, not real sure. Some help here guys, Chris? Is this available in the 1.9.x release or in the latest CVS version of 1.9.x? I believe the -s option failed on Windows. -Michael -- Michael Steele | System Engineer / Support Technician mailto:michaels () silicondefense com Silicon Defense: IDS solutions - http://www.silicondefense.com Snort: Open Source Network IDS - http://www.snort.org -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Parker, Ian Sent: Monday, November 04, 2002 9:46 AM To: 'twig les'; Parker, Ian; 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] Logging to Remote Syslog and ACID Console Sorry, I should have pointed out that this is a Windows box, so I don't have a syslog.conf file. If I create one, will Snort look for it? If so, where should it be located? Ian Parker, GCWN Senior Systems Analyst Upgrading Plant Computing Syncrude Canada Ltd (780)790-4631 parker.ian () syncrude com -----Original Message----- From: twig les [mailto:twigles () yahoo com] Sent: Monday, November 04, 2002 10:30 AM To: Parker, Ian; 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Logging to Remote Syslog and ACID Console You don't specify the remote syslog server in the snort.conf file or in the command line. Lose the -s, use snort.conf to tell snort to syslog the stuff, then edit /etc/syslog.conf to use the correct server. --- "Parker, Ian" <parker.ian () syncrude com> wrote:
Is it possible to send alerts to both a remote Syslog server and a remote ACID console? I can do one or the other, but if I specify the -s switch in the command line, it overrides the output plug-in for MySQL in the config file. The config file does not seem to allow you to specify a remote Syslog server. I suppose I could set up a local Syslog server and have it forward stuff to the remote daemon but I'd like to avoid that complication if possible. Ian Parker, GCWN Senior Systems Analyst Upgrading Plant Computing Syncrude Canada Ltd (780)790-4631 parker.ian () syncrude com
-------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ ------------------------------------------------------- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Stops Sending Alerts to MySQL Parker, Ian (Nov 08)
- RE: Snort Stops Sending Alerts to MySQL Michael Steele (Nov 08)
- <Possible follow-ups>
- RE: Snort Stops Sending Alerts to MySQL Parker, Ian (Nov 08)
- RE: Snort Stops Sending Alerts to MySQL Michael Steele (Nov 08)