Re: snort will not log to mysql

["Ron Shuck" <rshuck () Buchanan com>]

Snort 1.9.0 changed the way portscans are identified, at least if using
the new portscan plugin. This should be fixed in the CVS tree for ACID.
If I remember right you can modify the file 'acid_stat_common.php'
roughly lines 174,177.

Hope that helps.

Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant 
Buchanan Associates - A Technology Company in the People Business 
http://www.buchanan.com 
http://www.isc2.org
http://www.giac.org


-----Original Message-----
From: snort-users-request () lists sourceforge net
[mailto:snort-users-request () lists sourceforge net] 
Sent: Thursday, June 05, 2003 7:20 AM
To: snort-users () lists sourceforge net
Subject: Snort-users digest, Vol 1 #3237 - 11 msgs


Message: 1
Date: Thu, 5 Jun 2003 08:50:43 +0200
From: Hans Steinraht <hsteinraht () openlot com>
To: Bamm Visscher <bamm () satx rr com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort will not log to mysql
Organization: Openlot

This works, thanks.

On little question, in acid the bar for Portscan Traffic keeps the value
0%, but when I click on it the scans are reported there. Any idea how
that comes

Hans


On Wed, Jun 04, 2003 at 07:48:07AM -0500, Bamm Visscher wrote:
> The portscan preprocs call the 'alert' function, not the 'log' 
> function. Change your config so that the data base output plugin 
> attaches to the 'alert' facility:
>
>    output database: alert, mysql, user=snort password=snort 
> dbname=snort host=localhost
>
> Bammkkkk
>
> On Tue, Jun 03, 2003 at 03:42:48PM +0200, Hans Steinraht wrote:
> > --
> > Hi,
> >
> > i'm just started playing with snort (version 2.0.0-3.1) on Linux 
> > Debian.
> >
> > When I add some rules like these in local.rules:
> >   #alert ip any any -> any any (msg:"Got an IP packet";)
> >   #alert tcp any any -> any any (msg:"Got an TCP packet";)
> >   #alert udp any any -> any any (msg:"Got an UDP packet";)
> >   #alert icmp any any -> any any (msg:"Got an ICMP packet";)
> >
> > all kind of data is inserted in mysql.
> >
> >
> > When I remove the rules and do a scan to the firewall computer in 
> > our network I see entrys like "[**] [117:1:1] (spp_portscan2) 
> > Portscan detected ....." in my alert.log and in the portscan2.log, 
> > but nothing goes to mysql.
> >
> > The snort.conf file I have looks like this:
> >
> >   output database: log, mysql, user=snort password=snort
dbname=snort
> >   host=localhost
> >
> >   preprocessor portscan2: scanners_max 256, targets_max 1024,
target_limit 5,
> >   port_limit 20, timeout 60, log portscan2.log
> >
> > When I remove the option log from preprocessor portscan2 its going 
> > to log to scan.log, but still not to mysql.
> >
> > Does anyone has some advice for me on this.
> >
> > thanks,
> > Hans

-- 
_________________________
Hans Steinraht
Openlot
Wibautstraat 3
1091 GH Amsterdam
The Netherlands
hsteinraht () openlot com
Phone:   +3120 596 1840
Fax:     +3120 596 3162
www.openlot.com
_________________________



-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users