Snort mailing list archives

RE: MySql and Snort

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Sat, 8 Feb 2003 22:27:30 -0500

Cilin, 

First:  Your problem in a nutshell is the '-E' parameter on the Win32
binary.  Using this alert command line directive disables the output plugins
specified in the snort.conf file.  Using any of the other alert command line
'-A fast', '-A full', etc. will also disable the output plugins specified in
snort.conf.  And yes, this is by design.  

Second:  Do *not* use two output database plugins to the same MySQL
database.  If you do, you'll end up with duplicate data.  Check out:
http://www.theadamsfamily.net/~erek/snort/logging_methods.txt  

If you really want Snort alerts sent to the Win32 Event Log, then use the
syslog output plugin.  By default, under Win32 this will


-----Original Message-----
Date: Fri, 7 Feb 2003 12:41:40 -0800 (PST)
From: Cilin <cilin5 () yahoo com>
Subject: Re: [Snort-users] MySql and Snort
To: Cilin <cilin5 () yahoo com>
Cc: snort-users () lists sourceforge net

Additional Info

I use:

--Windows 2000 SMP machine but have disabled one of
the processors for the sole purpose of using snort
--Snort 1.9
--Latest versions of PHP, Apache and Acid
--IDScenter 1.09 BETA 2.3 (the latest vers)
--------------------------------------
The snort command line is: (as viewed from IDScenter)

C:\Program Files\Snort\snort.exe -c "C:\Program
Files\Snort\snort.conf" -l "C:\Program
Files\Snort\Log" -E -h www.xxx.yyy.zzz/32 -i 1
--------------------------------------
Output Plugins in snort.conf
1.
output database: log, Mysql,  host=www.xxx.yyy.zzz
port=3306 dbname=snort user=suser password=****
detail=Full
2.
output database: alert, Mysql,  host=www.xxx.yyy.zzz
port=3306 dbname=snort user=suser password=****
detail=Full

*I added the 2nd one after following some suggestion i
saw somewhere(I am not sure if 2 plugins can use the
same database though) Snort wasn't logging into mysql
with the first one by itself either.
--------------------------------------

I also tried this:

-Move all rules to /etc/snort
-Change every single line in snort.conf with "include"
removing path
/rules. The lines should be like this: 
include rpc.rules
- restart snort
I hope it should help you.

It didn't, but thanks for trying to help.
[snip]

Current thread:

RE: MySql and Snort L. Christopher Luther (Feb 05)
- <Possible follow-ups>
- RE: MySql and Snort L. Christopher Luther (Feb 08)
- RE: MySql and Snort L. Christopher Luther (Feb 08)