Snort mailing list archives
RE: Mysql, log and portscan..
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Mon, 13 Jan 2003 13:33:01 -0500
Marco, A couple of things to consider: 1) Your startup command line parameters '-A full' and '-b':
daemon /usr/sbin/snort -A full -b -l /var/log/snort -d -D \ -i $INTERFACE -c /etc/snort/snort.conf
will disable the various 'output ...' plugins you're using in the snort.conf file; I understand that this is by design. If you want to log to both MySQL and a text file in /var/log/snort, then drop the '-A full' and '-b' command line parameters and use the following 'output' plug-ins in your snort.conf file: output alert_full: alert.full output database: alert, mysql, user=myuser dbname=snort host=localhost password=mypass The filename, alert.full, should be replaced with whatever filename you wish to use. The alerts will be written in the default logging directory (/var/log/snort) or in the logging directory specified at the command line. Inside the logging directory, a directory per IP will be created. These files will be decoded packet dumps of the packets that triggered the alerts. You could also use: output log_tcpdump: snort.log in place of the '-b' parameter. The log_tcpdump module logs packets to a tcpdump-formatted file. This is useful for performing post process analysis on collected traffic with the vast number of tools that are avialable for examining tcpdump formatted files. This module only takes a single argument, the name of the output file. Note that the file name will have the "<month><date>@<time>-" prepended to the file name. This is so data from separate snort runs can be kept distinct. Regards, Christopher -----Original Message----- Message: 1 From: "Marco A. mateos" <specka () specka com> To: Snort-Users <snort-users () lists sourceforge net> Organization: SePecKa.CoM Date: 11 Jan 2003 21:20:36 +0100 Subject: [Snort-users] Mysql, log and portscan.. Hello, I'm a new user from snort 1.9.0 on redhat 7.2 (snort+snort+ACID) I have a problem and don't see solution. [...snip...] output alert_syslog: LOG_AUTH LOG_ALERT #output log_tcpdump: snort.log output database: alert, mysql, user=3Dmyuser dbname=3Dsnort host=3Dlocalhos=t password=3Dmypass [...snip...] ##################################################################### ### This line change activitie That write to log /var/log/snort/alert daemon /usr/sbin/snort -A full -b -l /var/log/snort -d -D \ -i $INTERFACE -c /etc/snort/snort.conf ##################################################################### ## If delete -A full -b Write to mysql database snort ##################################################################### = [...snip...] Neither it works. The logs goes to the text file, or to mysql. In any case I am able to see scan of ports, and for another tool I am certain that I have them (portsentry). I like write log to alert and portscan also because I like send with extractor 4.0 to https://analyzer.securityfocus.com/.=20 All to mysql database for see with ACID. All afternoon, work with this.=20 Thanks for you help. My english it's bad. Marco A. Mateos - Linux User: 209189 www.lomejordeinternet.net / specka.com graficas.lomejordeinternet.net - Portal de Artes Gr=C3=A1ficas hosting.lomejordeinternet.net - Hosting, housing y consultoria specka () quitaesto specka com / ICQ: 172542875 Clave P=C3=BAblica disponible en pgp.rediris.es
Current thread:
- Mysql, log and portscan.. Marco A. mateos (Jan 11)
- <Possible follow-ups>
- RE: Mysql, log and portscan.. L. Christopher Luther (Jan 13)