RE: Mysql, log and portscan..

["L. Christopher Luther" <CLuther () Xybernaut com>]

Marco,  

A couple of things to consider:  

1) Your startup command line parameters '-A full' and '-b':  

>       daemon /usr/sbin/snort -A full -b -l /var/log/snort -d -D \
>                -i $INTERFACE -c /etc/snort/snort.conf

will disable the various 'output ...' plugins you're using in the snort.conf
file; I understand that this is by design.  

If you want to log to both MySQL and a text file in /var/log/snort, then
drop the '-A full' and '-b' command line parameters and use the following
'output' plug-ins in your snort.conf file:  

  output alert_full: alert.full
  output database: alert, mysql, user=myuser dbname=snort host=localhost
password=mypass

The filename, alert.full, should be replaced with whatever filename you wish
to use.  The alerts will be written in the default logging directory
(/var/log/snort) or in the logging directory specified at the command line.
Inside the logging directory, a directory per IP will be created. These
files will be decoded packet dumps of the packets that triggered the alerts.


You could also use:  

  output log_tcpdump: snort.log  

in place of the '-b' parameter.  The log_tcpdump module logs packets to a
tcpdump-formatted file. This is useful for performing post process analysis
on collected traffic with the vast number of tools that are avialable for
examining tcpdump formatted files.  This module only takes a single
argument, the name of the output file.   Note that the file name will have
the "<month><date>@<time>-" prepended to the file name. This is so data from
separate snort runs can be kept distinct.  


Regards,

Christopher


-----Original Message-----
Message: 1
From: "Marco A. mateos" <specka () specka com>
To: Snort-Users <snort-users () lists sourceforge net>
Organization: SePecKa.CoM
Date: 11 Jan 2003 21:20:36 +0100
Subject: [Snort-users] Mysql, log and portscan..


Hello, I'm a new user from snort 1.9.0 on redhat 7.2 (snort+snort+ACID)

I have a problem and don't see solution.

[...snip...]
output alert_syslog: LOG_AUTH LOG_ALERT
#output log_tcpdump: snort.log
output database: alert, mysql, user=3Dmyuser dbname=3Dsnort
host=3Dlocalhos=t
password=3Dmypass

[...snip...]

#####################################################################
        ### This line change activitie That write to log
/var/log/snort/alert
        daemon /usr/sbin/snort -A full -b -l /var/log/snort -d -D \
                 -i $INTERFACE -c /etc/snort/snort.conf
#####################################################################
        ## If delete -A full -b  Write to mysql database snort
#####################################################################      =

[...snip...]

Neither it works.
The logs goes to the text file, or to mysql.
In any case I am able to see scan of ports, and for another tool I am
certain that I have them (portsentry).

I like write log to alert and portscan also because I like send with
extractor 4.0 to https://analyzer.securityfocus.com/.=20
All to mysql database for see with ACID. All afternoon, work with this.=20


Thanks for you help. My english it's bad.


Marco A. Mateos - Linux User: 209189
www.lomejordeinternet.net / specka.com
graficas.lomejordeinternet.net - Portal de Artes Gr=C3=A1ficas
hosting.lomejordeinternet.net - Hosting, housing y consultoria
specka () quitaesto specka com / ICQ: 172542875
Clave P=C3=BAblica disponible en pgp.rediris.es