Snort mailing list archives
RE: MySql and Snort
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Sat, 8 Feb 2003 22:27:30 -0500
Cilin, First: Your problem in a nutshell is the '-E' parameter on the Win32 binary. Using this alert command line directive disables the output plugins specified in the snort.conf file. Using any of the other alert command line '-A fast', '-A full', etc. will also disable the output plugins specified in snort.conf. And yes, this is by design. Second: Do *not* use two output database plugins to the same MySQL database. If you do, you'll end up with duplicate data. Check out: http://www.theadamsfamily.net/~erek/snort/logging_methods.txt If you really want Snort alerts sent to the Win32 Event Log, then use the syslog output plugin. By default, under Win32 this will -----Original Message----- Date: Fri, 7 Feb 2003 12:41:40 -0800 (PST) From: Cilin <cilin5 () yahoo com> Subject: Re: [Snort-users] MySql and Snort To: Cilin <cilin5 () yahoo com> Cc: snort-users () lists sourceforge net Additional Info I use: --Windows 2000 SMP machine but have disabled one of the processors for the sole purpose of using snort --Snort 1.9 --Latest versions of PHP, Apache and Acid --IDScenter 1.09 BETA 2.3 (the latest vers) -------------------------------------- The snort command line is: (as viewed from IDScenter) C:\Program Files\Snort\snort.exe -c "C:\Program Files\Snort\snort.conf" -l "C:\Program Files\Snort\Log" -E -h www.xxx.yyy.zzz/32 -i 1 -------------------------------------- Output Plugins in snort.conf 1. output database: log, Mysql, host=www.xxx.yyy.zzz port=3306 dbname=snort user=suser password=**** detail=Full 2. output database: alert, Mysql, host=www.xxx.yyy.zzz port=3306 dbname=snort user=suser password=**** detail=Full *I added the 2nd one after following some suggestion i saw somewhere(I am not sure if 2 plugins can use the same database though) Snort wasn't logging into mysql with the first one by itself either. -------------------------------------- I also tried this: -Move all rules to /etc/snort -Change every single line in snort.conf with "include" removing path /rules. The lines should be like this: include rpc.rules - restart snort I hope it should help you. It didn't, but thanks for trying to help. [snip]
Current thread:
- RE: MySql and Snort L. Christopher Luther (Feb 05)
- <Possible follow-ups>
- RE: MySql and Snort L. Christopher Luther (Feb 08)
- RE: MySql and Snort L. Christopher Luther (Feb 08)