Snort mailing list archives

RE: (no subject)

From: "Brian Gregorcy" <bgregor () dcti com>
Date: Fri, 30 May 2003 08:47:28 -0600

Are there alerts that are being thrown?  Snort does not have rules in its
local.rules file, so if you are local to the snort machine then there will
not be any alerts/logging to be done.  You can add this line to local.rules
files to see:

alert ip !$HOME_NET any -> $HOME_NET any (msg "LOCAL TEST";)

good luck

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Robin
Johnson
Sent: Friday, May 30, 2003 8:12 AM
To: Robin Johnson; 'Patrick S. Harper'
Cc: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] (no subject)


this is what im getting from 127.0.0.1/acid_main.php
Added 0 alert(s) to the Alert cache

Queried on : Fri May 30, 2003 15:08:37
Database: snort@localhost    (schema version: 0)
Time window: no alerts detected Sensors: 0
Unique Alerts: 0
Total Number of Alerts: 0
Source IP addresses: 0
Dest. IP addresses: 0
Unique IP links 0

Source Ports: 0
TCP ( 0)  UDP ( 0)
Dest. Ports: 0
TCP ( 0)  UDP ( 0)
 Traffic Profile by ProtocolTCP (0%)

UDP (0%)

ICMP (0%)



----------------------------------------------------------------------------
----

Portscan Traffic (0%)





Search
Graph Alert data (EXPERIMENTAL)

Snapshot Most recent Alerts: any protocol, TCP, UDP, ICMP
Today's: alerts unique, listing; IP src / dst
Last 24 Hours: alerts unique, listing; IP src / dst
Last 72 Hours: alerts unique, listing; IP src / dst
Most recent 15 Unique Alerts

Last Source Ports: any , TCP , UDP
Last Destination Ports: any , TCP , UDP
 Most frequent 5 Alerts

Most Frequent Source Ports: any , TCP , UDP
Most Frequent Destination Ports: any , TCP , UDP

Most frequent 15 addresses: source, destina

-----Original Message-----
From: Robin Johnson
Sent: 30 May 2003 15:11
To: 'Patrick S. Harper'; Robin Johnson
Cc: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] (no subject)


Yep
In my snort.conf I have this entry
output database: log, mysql, dbname=snort user=snort host=localhost
password=abc

In the sql database I have the following
+-----------------+
| Tables_in_snort |
+-----------------+
| acid_ag         |
| acid_ag_alert   |
| acid_event      |
| acid_ip_cache   |
| event           |
| icmphdr         |
| iphdr           |
| sensor          |
| snort           |
| tcphdr          |
| udphdr          |
+-----------------+

When I run snort from the command line to /var/log/snort it works everytime!
but cant get it to log to the database
any ideas??




-----Original Message-----
From: Patrick S. Harper [mailto:lists () internetsecurityguru com]
Sent: 30 May 2003 06:02
To: Robin Johnson
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] (no subject)


http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.7
http://www.snort.org/docs/faq.html#6.15

Did you compile with any options for databases?

check your snort.conf file


On Thu, 2003-05-29 at 05:42, Robin Johnson wrote:

Hi ,
excuse my ignorance but perhaps someone can help me!
new to the mailing list and first time in building snort2 with ACID on
Mandrake 9.1. running latest version of mysql and php.
My question is does any one know how to get snort to stop logging
locally and actually put the data into the mysql database so when acid
queries the database it gets back useful information

cheers
Rob



-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: (no subject), (continued)
- RE: (no subject) Slighter, Tim (Apr 09)
- (no subject) Cory D. (Apr 09)
- (no subject) KD Rajkumar (Apr 13)
- RE: (no subject) Ryan Finnesey (Apr 13)
- (no subject) John Sage (Apr 14)
- (no subject) Robin Johnson (May 29)
  - Re: (no subject) Erick Mechler (May 29)
  - Re: (no subject) Patrick S. Harper (May 29)
- RE: (no subject) Robin Johnson (May 30)
- RE: (no subject) Robin Johnson (May 30)
  - RE: (no subject) Brian Gregorcy (May 30)
- (no subject) snrt (Jun 24)
  - Re: (no subject) James Nonya (Jun 24)
- (no subject) Juergen Anthamatten (Jun 25)