Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort logging

From: "Slighter, Tim" <tslighter () itc nrcs usda gov>
Date: Mon, 30 Dec 2002 08:23:35 -0700
What exactly does your line look like for mysql in your snort.conf file?

it should be something like this:
output database: log, mysql, user=snort dbname=snort host=localhost

and NOT like this:

output database: alert, mysql, user=snort dbname=snort host=localhost

The word "Alert" being the key word.  Many people claim that this should not
be an issue but from personal experience.  Changing from "log" to "alert"
does appear to force snort to send alerts to the database only without the
alert file being populated.  On the reverse side, changing it to "log"
should fulfill your requirements.

-----Original Message-----
From: Sasa Jusic [mailto:sasa.jusic () zesoi fer hr]
Sent: Monday, December 30, 2002 7:32 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort logging


Hi,

My name is Sasa and I heve recently joined to this mailing list, which I
find very interesting and usefull.

I have some experience in running Snort, but I am still learning and testing
its capabilities. I think it is great product, and that it is very usefull
for network monitoring and intrusion detection.

Right now I'm using Snort 1.9.0 as IDS system on our network, and it is is
configured for MySQL database logging (output database: log, mysql,
dbname=xxx user=xxx password=xxx hostname=127.0.0.1). For data analysis and
system monitoring I am using Snortsnarf in combination with ACID, and it
works just fine.

But, there is one thing bothering me, and I don't now where is the problem.
In my /var/log/snort dir there is no other logs expect portscan.log and
alerts log files.

Snort logs its data to MySQL database but there is no logs in
/var/log/snort.

I'm running Snort with following arguments:

snort -de -h xxx.xxx.xxx.xxx -l /var/log/snort -c /etc/snort/snort.conf

In my conf file I just configured MySQL output plugin, as stated before (I
can't see any other parameter in snort.conf which could influence on this
problem).

I thought it will by default log normaly to /var/log/snort, beside logging
to MySQL database.

How can I configure Snort to log data at MySQL database and /var/log/snort
dir at the same time?

Thanks for help,

Sasa Jusic,
e-mail: sasa.jusic () zesoi fer hr
Laboratory for Systems and Signal, FER
Croatia












-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: